Forwarding Krb5 credentials to backend server

[Xesc Arbona]

Hi,

I'm trying to set up a Reverse-Proxy with WebAuth (http://webauth.stanford.edu/) for several backend servers running Apache2 with mod_auth_kerb. We use Kerberos internally for authentication and SSO works pretty well with mod_auth_kerb.

What I would like now  is to provide access to these internal servers from outside. I want the user to enter their corporate credentials once on WebAuth, and then generate Kerberos tickets for the backend servers. I use WebAuthCred (http://webauth.stanford.edu/manual/mod/mod_webauth.html#webauthcred) for that, and the credentials get stored in a cache, but the reverse-proxy doesn't forward these credentials, and I get a 401 error message back. 

I would like to create an "Authorization: Negotiate [KRB5 ticket]" header, but I'm not sure this is the right thing to do, or how to do it. I've already sent a mail to the webauth-info mailing list, but it seems that this is outside the scope of WebAuth: 

"WebAuth can only get the Kerberos tickets as far as the server running
mod_webauth, since it uses the WebAuth protocol to transfer them.  At that
point, what you want to have happen is for mod_proxy to do a
Negotiate-Auth authentication to the internal host using the Kerberos
ticket cache set up by WebAuth.  This is possible at a technical level,
but since mod_proxy doesn't know anything about Kerberos, Apache doesn't
know how to do this.  Unfortunately, what you'd need to make this happen
is a modified version of mod_proxy that knows how to be a Negotiate-Auth
Kerberos client, which is something I'm pretty sure no one has yet
written."

Has someone already worked on this? What it is the best thing to do? Modify mod_proxy? Use mod_header?

Thank you very much for your help!

Cheers,

--
Xesc Arbona
Sysadmin at TOPdesk