Forwarding Krb5 credentials to backend server
Xesc Arbona
X.Arbona at topdesk.com
Tue Nov 3 12:38:07 EST 2009
Hi,
I'm trying to set up a Reverse-Proxy with WebAuth (http://webauth.stanford.edu/) for several backend servers running Apache2 with mod_auth_kerb. We use Kerberos internally for authentication and SSO works pretty well with mod_auth_kerb.
What I would like now is to provide access to these internal servers from outside. I want the user to enter their corporate credentials once on WebAuth, and then generate Kerberos tickets for the backend servers. I use WebAuthCred (http://webauth.stanford.edu/manual/mod/mod_webauth.html#webauthcred) for that, and the credentials get stored in a cache, but the reverse-proxy doesn't forward these credentials, and I get a 401 error message back.
I would like to create an "Authorization: Negotiate [KRB5 ticket]" header, but I'm not sure this is the right thing to do, or how to do it. I've already sent a mail to the webauth-info mailing list, but it seems that this is outside the scope of WebAuth:
"WebAuth can only get the Kerberos tickets as far as the server running
mod_webauth, since it uses the WebAuth protocol to transfer them. At that
point, what you want to have happen is for mod_proxy to do a
Negotiate-Auth authentication to the internal host using the Kerberos
ticket cache set up by WebAuth. This is possible at a technical level,
but since mod_proxy doesn't know anything about Kerberos, Apache doesn't
know how to do this. Unfortunately, what you'd need to make this happen
is a modified version of mod_proxy that knows how to be a Negotiate-Auth
Kerberos client, which is something I'm pretty sure no one has yet
written."
Has someone already worked on this? What it is the best thing to do? Modify mod_proxy? Use mod_header?
Thank you very much for your help!
Cheers,
--
Xesc Arbona
Sysadmin at TOPdesk
More information about the Kerberos
mailing list