Set up a kerberos protected apache server on CentOS 6.5 x86_64

1. Install packages
# yum install mod_auth_kerb ipa-client ipa-admintools

2. Join into Kerberos domain
Make sure ipa server can resolve http server(DNS and/or hosts)
# ntpdate 0.centos.pool.ntp.org
# ipa-client-install --domain dev.id.aaf.edu.au --server iam1.dev.id.aaf.edu.au

3. Add service principal
# kinit admin
# ipa service-add HTTP/krbhttpservice.dev.id.aaf.edu.au

4. Retrieve Kerberos keytab
# ipa-getkeytab -s iam1.dev.id.aaf.edu.au -p HTTP/krbhttpservice.dev.id.aaf.edu.au -k /etc/httpd/conf/krb5.keytab
# chown apache:apache /etc/httpd/conf/krb5.keytab
# chmod 0600 /etc/httpd/conf/krb5.keytab

5. Configure apache
Open /etc/httpd/conf.d/auth_kerb.conf
#
# The mod_auth_kerb module implements Kerberos authentication over
# HTTP, following the "Negotiate" protocol.
#
LoadModule auth_kerb_module modules/mod_auth_kerb.so
#
# Sample configuration: Kerberos authentication must only be
# used over SSL to prevent replay attacks.  The keytab file
# configured must be readable only by the "apache" user, and
# must contain service keys for "HTTP/www.example.com", where
# "www.example.com" is the FQDN of this server.
#
<Location /kerberos_protected>
  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbServiceName HTTP/krbhttpservice.dev.id.aaf.edu.au
  KrbAuthRealms DEV.ID.AAF.EDU.AU
  Krb5KeyTab /etc/httpd/conf/krb5.keytab
  require valid-user
</Location>

6. Restart apache
# chkconfig httpd on
# service httpd start

7. Testing on a client machine, same as the server, you need to be a member of the Kerberos domain
# yum install ipa-client
# ntpdate 0.centos.pool.ntp.org
# ipa-client-install --domain dev.id.aaf.edu.au --server iam1.dev.id.aaf.edu.au
# kinit <username>
# curl -I -k --negotiate -u : https://krbhttpservice.dev.id.aaf.edu.au/kerberos_protected/phptest.php
The output should be like this:
HTTP/1.1 401 Authorization Required
Date: Fri, 17 Jan 2014 03:35:37 GMT
Server: Apache/2.2.15 (CentOS)
WWW-Authenticate: Negotiate
Connection: close
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 200 OK
Date: Fri, 17 Jan 2014 03:35:37 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Connection: close
Content-Type: text/html; charset=UTF-8

ipa-client-install failed with self-signed certificate

# ipa-client-install --domain dev.id.aaf.edu.au --server iam1.dev.id.aaf.edu.au
LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
Failed to verify that iam1.dev.id.aaf.edu.au is an IPA Server.
This may mean that the remote server is not up or is not reachable due to network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.
#

We need to obtain the ca.crt from the ldap server and use it to trust the slef-signed certificate.
Run these commands to fix this issue:
# wget http://iam1.dev.id.aaf.edu.au/ipa/config/ca.crt
# mv ca.crt /etc/ipa/ca.crt# mv ca.crt /etc/ipa/ca.crt

See https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html