Goal: Under Windows Domain environment, the Intranet user could authenticate oneself to a website hosted on Linux/Apache without password prompt, when browsed with IE or Firefox to browse, hence the Single Sign On (SSO). During the course of setup, the Linux box will join the Domain and have a Computer Account created.
Non Goal: Enable domain logon for Linux in General. Authorization is also not discussed.
Introduction
If the target is to accept domain’s credential, the question will actually be much easier. KB555092 is one of the way to achieve that, but basically that means the credential will be transmitted in clear text to the web server, then the server will test it with the domain controller. If such a website setup is browsed with IE, the prompt will state such problem in clear, and it won’t do SSO either. To the client, this is very insecure, even with SSL enabled, it means the web server could have the control of the credential. All in al, KB555092 is not what I want. I think there are other solutions like LDAP could achieve similar result.
The key in KB555092 is that KrbMethodNegotiate is Off, that denys the SSO from happening. However, to turn it on is not as simple as flagging it as on, there is quite some steps to need to be done in the background.
(more…)
English