[users@httpd] Apache reverse proxy with Kerberos delegation

[Felix Berlakovich <fe...@berlakovich.at>]

Hi!

My goal:

I would like to configure Apache as a reverse proxy for backend applications that use Kerberos authentication. The goal is that users can always use the URL of the reverse proxy to access backend applications while still using Kerberos authentication. From my understanding this requires the reverse proxy to do Kerberos delegation to the backend applications: the client browser authenticates with Kerberos against Apache and provides (a possibly constrained) version of its TGT. Apache in turn should use the supplied TGT to acquire a service ticket in the name of the requesting user for the backend application. At least this is what (I think) Microsoft ISA / Microsoft TMG / Microsoft IIS + ARR do to achieve SSO despite the use of a reverse proxy. 

What I have done so far (that works):

Configured an Apache reverse proxy that works for unauthenticated / basic authenticated backend applications Configured mod_kerb_auth Enabled Kerberos constrained delegation (s4u2proxy) in mod_kerb_auth

All this seems to work fine. From the logs I can see that mod_kerb_auth successfully performs Kerberos delegation, i.e. in principal would be able to authenticate against third parties in the name of the requesting user. However, Apache does not acquire a new service ticket for backend applications. Instead it simply passes the authentication token used by the client to authenticate against the reverse proxy (verified with a Wireshark trace).

My question: 

Is the desired behaviour even possible with mod_proxy or am I doomed to use IIS + ARR?

Sorry for the long questions, but many versions of this question in the net suffer from insufficient details.

Thanks in advance and best regards

Felix  

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org