[31649] in Kerberos
Forwarding Krb5 credentials to backend server
daemon@ATHENA.MIT.EDU (=?windows-1252?Q?Xesc_Arbona?=)
Tue Nov 3 14:37:59 2009
From: =?windows-1252?Q?Xesc_Arbona?= <X.Arbona@topdesk.com>
To: kerberos@mit.edu, modauthkerb-help@lists.sourceforge.net
Date: Tue, 3 Nov 2009 18:38:07 +0100
Mime-Version: 1.0
Message-Id: <vmime.4af06a7f.3303.ac5ef6b48e959cd@mona.topdesk.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
I'm trying to set up a Reverse-Proxy with WebAuth (http://webauth.stanford.edu/) for several backend servers running Apache2 with mod_auth_kerb. We use Kerberos internally for authentication and SSO works pretty well with mod_auth_kerb.
What I would like now is to provide access to these internal servers from outside. I want the user to enter their corporate credentials once on WebAuth, and then generate Kerberos tickets for the backend servers. I use WebAuthCred (http://webauth.stanford.edu/manual/mod/mod_webauth.html#webauthcred) for that, and the credentials get stored in a cache, but the reverse-proxy doesn't forward these credentials, and I get a 401 error message back.
I would like to create an "Authorization: Negotiate [KRB5 ticket]" header, but I'm not sure this is the right thing to do, or how to do it. I've already sent a mail to the webauth-info mailing list, but it seems that this is outside the scope of WebAuth:
"WebAuth can only get the Kerberos tickets as far as the server running
mod_webauth, since it uses the WebAuth protocol to transfer them. At that
point, what you want to have happen is for mod_proxy to do a
Negotiate-Auth authentication to the internal host using the Kerberos
ticket cache set up by WebAuth. This is possible at a technical level,
but since mod_proxy doesn't know anything about Kerberos, Apache doesn't
know how to do this. Unfortunately, what you'd need to make this happen
is a modified version of mod_proxy that knows how to be a Negotiate-Auth
Kerberos client, which is something I'm pretty sure no one has yet
written."
Has someone already worked on this? What it is the best thing to do? Modify mod_proxy? Use mod_header?
Thank you very much for your help!
Cheers,
--
Xesc Arbona
Sysadmin at TOPdesk
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
