Page tree
Skip to end of metadata
Go to start of metadata

The Apache HTTP server is the Apache Software Foundation's web server. See the project's website for more details.


All of the instructions below assume that you have root access, and will work as the root user (either directly or using sudo).

1. System Preparation

1.1. Add the Moonshot libraries

If you have not already done so, you first need to follow the instructions on how to install the Moonshot Libraries on Debian 8.

2. Installation Instructions

  1. To use the Apache module, install it and the MIT Kerberos client package:

    $ apt-get install krb5-user apache2-mpm-prefork libapache2-mod-auth-gssapi
  2. To install the Apache module, issue the following command (or create the appropriate symlinks manually):

    $ a2enmod auth_gssapi
  3. Add a dummy Kerberos key to make the module happy:

    $ ktutil
    ktutil:  addent -password -p HTTP/localhost@YOUR-WEBSERVER-HOSTNAME -k 1 -e aes256-cts
    <enter any password>
    ktutil:  wkt /etc/apache2/krb5.keytab
    ktutil:  quit
  4. Export the location of the keytab file into Apache's config:

    $ echo export KRB5_KTNAME=/etc/apache2/krb5.keytab >> /etc/apache2/envvars
  5. Assign the correct permissions to the keytab file:

    $ chown www-data /etc/apache2/krb5.keytab
  6. Ensure that the certificates referenced in /etc/radsec.conf can be read by the Apache user:

    $ su - --shell=/bin/bash www-data
    $ cat path_to_ca.pem
    $ cat path_to_client.pem
    $ cat path_to_client.key
  7. Verify that the KeepAlive option is enabled in the Apache configuration file /etc/apache2/apache2.conf:

    KeepAlive On
  8. Restart Apache:

    $ service apache2 restart

3. Configuration Instructions

Shibboleth2 Apache module incompatibility

Please read Section 6.2 in Apache HTTPD on module incompatibilities.

3.1. Protecting a location with Moonshot

To protect a particular location on your Apache server, you must configure it with an AuthType of "Negotiate".


To allow anyone with a valid Moonshot account to access /wherever, you would do the following:

<Location "/wherever">
    AuthType Negotiate
    Require valid-user

3.2. Populating REMOTE_USER

Web services often rely on the REMOTE_USER Apache environment variable for user information, such as a local user account or a pseudonymous identifier.

To populate REMOTE_USER, update the reply from the RP Proxy with the User-Name RADIUS attribute in the RP Proxy's post-auth section:

update reply {
        User-Name := "content"

3.3. HTTPS Internet Explorer compatibility

For updated best practice with Internet Explorer connections, you should also read Microsoft's HTTPS and Keep-Alive Connections article.

  • No labels