Reverse proxy authentication impacted by backend authentication

[noDevButOp]

I got a request to secure the access to a web portal which is located in a VLAN. My idea was to use an existing intranet reverse proxy with Kerberos and LDap to let only members of an AD group pass through to the web portal, which itself is only allowing requests from the reverse proxy.

This is so far working, only the group members have access to the web portal. But when they try to login into the web portal a browser login window appears and ask them to add manually their credentials.

I guess the backend auth impacts the frontend auth or vice versa, in the log files I can see that the next request right after the web portal login contains no authenticated user anymore in my reverse proxy access log file.
The web portal is not using SSO, they use manual log on with additional accounts and LDAP.

Setup:
Apache 2.4
auth_gssapi
authnz_ldap

<Location />
    AuthType GSSAPI
    AuthName "GSSAPI Login"
    GssapiCredStore keytab:/etc/apache2/kerberos/intrasso.keytab
    GssapiLocalName on
    Require valid-user

    GssapiUseSessions       On
    GssapiDelegCcacheDir    /run/apache2/clientcaches

    <IfModule mod_session.c>
        Session on
    </IfModule>
    <IfModule mod_session_cookie.c>
        SessionCookieName gssapi_session path=/;httponly;secure;
    </IfModule>

    ProxyPass           https://hostname.corp.internal.com:8443/
    ProxyPassReverse    https://hostname.corp.internal.com:8443/

    RequestHeader unset Authorization
</Location>

My question:
is my idea feasible at all and if yes, how can I solve my issue

[simo5]

Do you want users to be automatically logged on on the actual application server? Or is your intention really to have them only filtered by the proxy but then have to re-authenticate on the application?

[noDevButOp]

Thanks for your reply.

I only want to filter the access, no need to forward the authentication.

[simo5]

I think the proxy needs to insure that the session cookie is not dropped then, I guess.
Sounds like an interaction between proxy and application as you noted, but at this stage you enter debugging territory, can't help you further.