Kerberos Authentication for multi-tenant apache hosted Rails app

2
votes

I would like to support a multi-tenant rails application with conditional support for Kerberos authentication by tenant.

The examples I've seen with mod_auth_kerb assume the apache server will reach out directly to the KDC for validating the ticket. In my case, I would like the server to have the client browser negotiate w/ the KDC and provide the appropriate ticket. I believe this is done by returning a 401 w/ www-negotiate header and the client browser will then call back with the ticket. The apache server would then just validate the ticket against the appropriate keytab. My understanding is I will need a keytab from each domain that will support Kerberos auth.

So, I think I can easily provide an "/auto_login" route that Apache then enforces Kerberos on. However, I'm not quite sure how to have Apache choose the right keytab; e.g. if I hit /auto_login?client=abc to validate against ABC's keytab.

I currently use Devise. A custom strategy: Devise ignoring custom strategy would be nice, but it seems I have the same issue in configuring the Krb5 gem (unsupported now?) to handle multiple keytabs and determine which to validate against.

1
ruby-on-rails-3apachedevisesingle-sign-onkerberos
Do you want it to work across multiple kerberos realms or simply different service principals within the same realm?Fred the Magic Wonder Dog
thanks for the question @FredtheMagicWonderDog. I believe multiple realms; e.g. users coming from CUSTA.COM, CUSTB.COM, WHATEVER.COM. So, a keytab from each. I'm thinking I may need a custom Location config for each realm pointing to each domain. Am I on the right track?Mark Nadig
Yes, although the problem is that kerberos requires client/host agree on the service principal by some out of band convention. Getting the clients to use the service principal in the keytab is going to be quite difficult if the IP address of the server does not resolve to a host in that realm.Fred the Magic Wonder Dog

1 Answers

1
votes

How many distinct realms do you have? mod_auth_kerb works fine with multiple realms, as long as their KDCs are capable to validate trust relationship and issue cross-realm TGTs, and your krb5.conf configuration does proper mapping to those realms.

If you are able to establish cross-realm trusts between the realms, then the problem will be already solved -- just specify all accepted realms in mod_auth_kerb's configuration:

KrbAuthRealms CUSTA.COM CUSTB.COM WHATEVER.COM