Kerberos Single Signon with Joomla! or other PHP apps
Written by Sam Moffatt   
Sunday, 10 June 2007 01:16
This document covers configuring Kerberos Single Signon basics for Joomla. This document assumes that you have configured Kerberos properly. Due to the nature of Joomla (and other web apps), it has a large number of support documents (Javascript, CSS, images) on the server that need to be transferred. If you are using the base files from the Kerberos for SLES9 document, then you will find that Joomla will trigger a password dialog. This document explains how to solve this problem.

Step 1: Altering the .htaccess file

By limiting the requests to only PHP documents, we secure the executable point. This could be expanded to Word, Excel and other files, but we should ignore images for obvious reasons. This will prevent access to the system via the standard means, hopefully obscuring files that might be within the system. Using the below .htaccess file:

<FilesMatch "\.php$">
        AuthType Kerberos
        AuthName "Enter your Novell Login"
        KrbMethodNegotiate On
        KrbAuthRealms
        KrbSaveCredentials on
        KrbMethodK5Passwd On
        KrbServiceName HTTP
        require valid-user
</FilesMatch>

This sets up Kerberos authentication for all .php documents, this also means .htm and .html documents are ignored, this useful because of a flaw which appears to exist with this method. When directly accessing the file (e.g. http://example.com/kerberos/index.php), the single sign-on system kicks in and is automatic. When the default document handler is invoked (e.g. http://example.com/kerberos/) and index.php is the only option, the system will present with an Authorization failure. This is due to the Kerberos back end falsely detecting a Replay attack because the two requests are passed through it at the same time (and thus are technically a replay). Introducing a secondary page called index.html takes precendence over the index.php file and is used as the default document. As Kerberos is not enabled for this file, it doesn't suffer from the replay issue. A simply crafted file below also provides a small message for those who may not have single sign on configured properly in IE:

<html>
        <head>
                <title>Automated Signon System</title>
                <meta http-equiv="refresh" content="0;url=index.php">
        </head>
        <body>
                <p align="center">Please wait while the automated signon system intializes for this application...<br>If you are asked for a password, please enter your login details.
        </body>
</html>

This simple file needs to be placed anywhere the index.php document is to override it. If the document doesn't properly override, search for the DirectoryIndex directive in the global configuration and ensure that index.html is ahead of index.php in this list. You may need to reboot Apache. After this, the single sign on should work fine.

Why only PHP files?
Simple fact is that PHP files are the only ones that we can use to check if the user is actually allowed access to the system. Since Kerberos is executed at the Apache layer, it is run before any PHP scripts are initialized (and before checks to see if the file exist are done). From there a server variable is passed and the PHP scripts then use this to verify that the user is valid on that system.
Last Updated on Friday, 25 April 2008 15:03