changes.
| | h1. Purpose |
| | |
| | This tutorial explains how to set up an environment so that Windows domain user can access QuickBuild without using password. |
| | |
| | h1. Assumptions |
| | |
| | # Windows domain is _example.com_ |
| | # Windows domain controller server is Windows 2012 R2, and can be accessed via LDAP protocol: _ldap://dc.example.com:389_ |
| | # QuickBuild server is installed at Ubuntu 3.13.0-40-generic, with DNS name _build.example.com_, and running on port 8810 |
| | |
| | h1. Steps |
| | # Login to ubuntu server, and make sure below commands work as expected: |
| | #* {code}$ nslookup build.example.com{code} |
| | This command should return ip address of the ubuntu server |
| | #* {code}$ nslookup <ip address of ubuntu server>{code} |
| | This command should return _build.example.com_ |
| | #* Make sure _build.example.com_ is the only host record in your DNS pointing to the ubuntu server, and vice versa for the reverse lookup dns records (PTR). Otherwise, single sign-on may not work for some unknown reason. |
| | # Create a domain user _quickbuild_ in your domain controller, with following options: |
| | !create_domain_user.png! |
| | # Create another domain user _apache_ with same options as above |
| | # On domain controller, open powershell as Administrator, and run below command to generate keytab for apache user: |
| | {code}ktpass -princ HTTP/build.example.com@EXAMPLE.COM -mapuser apache -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass <password of apache user> -out apache.keytab{code} |
| | The generated _apache.keytab_ will be used later. |
| | # Login to ubuntu server to install and configure kerberos client package: |
| | {code}sudo apt-get install krb5-user{code} |
| | Input _EXAMPLE.COM_ when installation procedure asks for default Kerberos realm. After installing Kerberos, modify _/etc/krb5.conf_: |
| | #* add below under section _\[realms\]_: |
| | {code} |
| | EXAMPLE.COM = { |
| | kdc = dc.example.com |
| | default_domain = example.com |
| | } |
| | {code} |
| | #* add below under section _\[domain_realm\]_ |
| | {code} |
| | .example.com = EXAMPLE.COM |
| | example.com = EXAMPLE.COM |
| | {code} |
| | Now test if Kerberos client works by runnig command _kinit _<your Windows domain logon name>_. If configured correctly, it should prompt you to input your domain password to get the ticket. Then you should be able to list the ticket by running _klist_. |
| | # Continue to configure apache httpd server on the ubuntu server: |
| | #* Install apache httpd server if it is not already installed: |
| | {code}sudo apt-get install apache2{code} |
| | #* Install apache kerberos module if it is not already installed: |
| | {code}sudo apt-get install libapache2-mod-auth-kerb{code} |
| | #* Enable below apache modules: |
| | {code} |
| | $ sudo a2enmod proxy_http rewrite headers |
| | {code} |
| | #* Copy file _apache.keytab_ generated above from your domain controller to ubuntu server and place it under directory _/etc/apache2_, and then run below commands against the file: |
| | {code} |
| | $ sudo chown www-data apache.keytab |
| | $ sudo chgrp www-data apache.keytab |
| | $ sudo chmod 600 apache.keytab |
| | {code} |
| | # Create file _/etc/apache/sites-available/build.example.com.conf_ with below content to define virtual host for QuickBuild: |
| | {code} |
| | <VirtualHost *:80> |
| | # if you are configuring reverse proxy with https enabled, make sure to prepend the ServerName |
| | # directive with "https://" schema, for example: https://build.example.com:443 |
| | ServerName build.example.com |
| | |
| | ProxyRequests Off |
| | |
| | # turn off this option. We will rely on ProxyPassReverse to translate |
| | # urls in Http response headers. |
| | ProxyPreserveHost Off |
| | |
| | <Proxy *> |
| | Order allow,deny |
| | Allow from all |
| | </Proxy> |
| | |
| | ProxyPass / http://localhost:8810/ |
| | ProxyPassReverse / http://localhost:8810/ |
| | |
| | <Location /> |
| | AuthType Kerberos |
| | AuthName "Build Server" |
| | KrbAuthRealms EXAMPLE.COM |
| | KrbServiceName HTTP |
| | Krb5Keytab /etc/apache2/apache.keytab |
| | KrbMethodNegotiate on |
| | |
| | # Turn on this option in case the browser does not support Kerberos authentication, |
| | # in that case, it will fall back to http basic authentication to prompt user for |
| | # password. |
| | KrbMethodK5Passwd on |
| | |
| | Require valid-user |
| | |
| | # Below directives puts logon name of authenticated user into http header _X-Forwarded-User_ |
| | # so that QuickBuild can use it |
| | RequestHeader unset X-Forwarded-User |
| | RewriteEngine On |
| | RewriteCond %{LA-U:REMOTE_USER} (.+) |
| | RewriteRule .* - [E=RU:%1,NS] |
| | RequestHeader set X-Forwarded-User %{RU}e |
| | |
| | # Remove domain suffix to get the simple logon name |
| | RequestHeader edit X-Forwarded-User "@EXAMPLE.COM$" "" |
| | </Location> |
| | |
| | # Below directives turn off Kerberos authentication for various QuickBuild services as their clients |
| | # are not able to handle Kerberos authentication. QuickBuild will use the traditional http basic |
| | # authentication in this case. |
| | <LocationMatch "/(rest|service|agent_update|file_transfer|download|batch_download)"> |
| | AuthType None |
| | Order allow,deny |
| | Allow from all |
| | |
| | RequestHeader unset X-Forwarded-User |
| | </LocationMatch> |
| | |
| | ErrorLog ${APACHE_LOG_DIR}/quickbuild-error.log |
| | CustomLog ${APACHE_LOG_DIR}/quickbuild-access.log combined |
| | LogLevel warn |
| | </VirtualHost> |
| | {code} |
| | # Run below commands to enable virtual host created above and restart Apache: |
| | {code} |
| | $ a2ensite build.example.com.conf |
| | $ sudo service apache2 restart |
| | {code} |
| | # Login to QuickBuild as administrator and switch to page _Administration/Security Settings_ to perform below tasks: |
| | #* Add an authenticator of type _Active Directory_ with below properties: |
| | !ad.png! |
| | #* Trust user name in http header _X-Forwarded-User_ passed from Apache reverse proxy like below: |
| | !trust-user.png! |
| | Here we only trust this header if it originates from ip _127.0.0.1_ as Apache is installed on the same server |
| | # Now everything has been configured at server side, logon to a Windows workstation with your domain account and open your browser. Before visiting _build.example.com_, we still need to configure the browser to trust url example.com: |
| | #* on Internet Explorer, open _Internet Options/Security /Local intranet_ to add _.example.com_: |
| | !ie_intranet.png! |
| | #* Chrome internet option is pretty much the same as Internet Explorer |
| | #* on Firefox, input _about:config_ on the address bar, and search for _negotiate_ in the config. Then add _example.com_ to config _network.negotiate-auth.delegation-uris_ and _network.negotiate-auth.trusted-uris_ like below: |
| | !firefox-intranet.png! |
| | Now you should be able to visit _http://build.example.com_ without using any password. QuickBuild will display your current domain user as logged-in user. |
| | |
| | | {info} In case you want to sign in as a different user in this single sign-in environment, just sign out from QuickBuild, and input desired user/password to login to QuickBuild again. The nxt time{info} |
| | | {info} In case you want to sign in as a different user in this single sign-in environment, just sign out from QuickBuild, and input desired user/password to login to QuickBuild again.{info} |
Single Sign-On with Windows Domain Account