Add Windows/AD and UNIX commands and configuration to generate and use Keytabs with nginx #91
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* upstream/master: Fix off by one error in spnego token length Return NGX_HTTP_UNAUTHORIZED if Basic auth failed Converting into a dynamic module Properly initialize buffer when output token length is zero. Stop setting KRB5_KTNAME in environment
vjt
changed the title
stnoonan
requested changes
May 7, 2019
| This fork only contains a README change from the original source | ||
| http://github.com/stnoonan/spnego-http-auth-nginx-module that | ||
| explains how to set up NGINX and Active Directory Kerberos authentication | ||
| with multiple host names using the same service account. |
| are [available in this PPA](https://launchpad.net/~bcandrea/+archive/nginx-stable). | ||
|
|
||
|
|
||
| Crash course to Windows KDC Configuration |
There was a problem hiding this comment.
Split this out into a separate file and link it from the readme? Otherwise, lgtm.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Dear @stnoonan -
first, thanks for your work on this nginx module, that has proven very robust and reliable in the last 5 years it has been in production for us.
This pull is for discussion only, as it contains only README changes on how to obtain a Windows service account mapped to specific service names that are not dependant on the system's host name where nginx is running.
The scenario here is that you may have multiple boxes with nginx on them serving the same app, say, "foo.example.com", behind a load balancer. The nginx servers need to have a keytab that has both the
host/foo.example.comandHTTP/foo.example.com, and on the AD side the service account used for Kerberos authentication need to have these two SPNs mapped to it, in the very same "host/" first and "HTTP/" after order.It is also possible to have different service names mapped to the same service account, as long as the
host/andHTTP/entries in the Windows SPN database are in the right order.The documentation in this pull shows all the steps required to achieve the above, that allow for great flexibility and that has been tested with AD on Windows Server 2008, 2012, 2016 and with both IE 11 and Chrome on Windows 7 and Windows 10.
Thanks for your time,