Kerberos Authentication

In PrivX you may enable Kerberos Single Sign On (SSO) for PrivX users belonging to one AD/LDAP user directory. Users from that directory can, after initial login to a Kerberos client, log into the PrivX GUI without having to retype their credentials.

Prerequisites

Ensure and perform the following before setting up Kerberos authentication for PrivX:

  • You need a functioning Kerberos Key Distribution Center (KDC) and admin server. These services may be run on the same server.

  • Kerberos servers must be able to resolve the host names of your PrivX servers.

  • Users must be part of a AD/LDAP user directory. The user directory must have been added to PrivX. Furthermore, users from that directory must have access to some Kerberos client for obtaining their Kerberos tickets (such as Windows login or kinit). Note that you may only enable Kerberos authentication for one user directory in PrivX at any time.

    For more information about adding user directories to PrivX, see Importing Users from AD/LDAP

Kerberos Setup

To enable Kerberos authentication for PrivX users belonging to a user directory, repeat the following steps for all your PrivX servers:

  1. To add PrivX as a service to Kerberos, create a unique service principal for the PrivX server. The principal name must follow the syntax:

    HTTP/privx.example.com@EXAMPLE.COM

    Replace the example values as follows:

    • privx.example.com - the PrivX server name.

    • EXAMPLE.COM - the name of your Kerberos realm.

  2. To allow the PrivX to authenticate against the KDC, obtain a keytab of the PrivX service principal. The keytab entries should be encrypted using algorithms supported by your Kerberos environment. If using Windows Kerberos, also ensure the keytab is mapped to the user account associated with the PrivX service principal.

🚧 Caution

Ensure that the keytab is never exposed to unauthorized personnel. Malicious users with access to the keytab may use it to impersonate services.

  1. On your PrivX server, add the keytab to /etc/krb5.keytab.

    Also ensure the keytab-file is readable by the local user privx. For example:

    # chown privx:privx /etc/krb5.keytab
    # chmod 0400 /etc/krb5.keytab
  2. Configure your PrivX server to connect to your KDC. To do this, add a similar configuration to /etc/krb5.conf on the PrivX server:

    [libdefaults]
        default_realm = EXAMPLE.COM
    
    # The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
    
    
    [realms]
        EXAMPLE.COM = {
            kdc = dc.example.com
            admin_server = dc.example.com
    }
    
    [login]
        krb4_convert = true
        krb4_get_tickets = false

    Adjust the configuration according to your Kerberos environment. You will at least have to change default_realm to the actual name of your Kerberos realm, change the [realms] section to include the actual name of your Kerberos realm, and to specify the addresses of its KDC and Kerberos admin server.

    Save your changes to the file.

  3. On the PrivX server, adjust the PrivX settings in /opt/privx/etc/auth-default-config.toml. You will have to set the following:

    • kerberos_enabled - set to true

    • kerberos_service_name - set this equal to the PrivX service principal.

    • kerberos_directory_name - the name of the user directory for which Kerberos is enabled. For a list of directories and their names, see the Settings→Directories page in the PrivX GUI.

    • kerberos_realm_name - the name of your Kerberos realm.

    Example values for these settings:

    kerberos_enabled=true
    kerberos_service_name="HTTP/privx.example.com@EXAMPLE.COM"
    kerberos_directory_name="Example AD 01"
    kerberos_realm_name="EXAMPLE.COM"

    Save your changes to the file.

  4. On the PrivX server, restart PrivX services to apply the changes:

    # systemctl restart privx

    Once you have completed these steps on each PrivX server, Kerberos SSO is enabled.

Logging in with Kerberos

After you have set up kerberos SSO, PrivX users belonging to the configured user directory can log in as follows:

  1. Obtain your Kerberos ticket, for example, by logging into a machine with Kerberos authentication or by running kinit.

  2. Access the PrivX login page. You will be automatically logged into PrivX, without having to re-enter your credentials.

Was this page helpful?