Setup s4u2proxy on a reverse-proxy

[kvvloten]

I have a PHP webapp running behind a reverse-proxy that I would like to authenticate users based on their ticket.

User -----> Apache revproxy ---------> Apache webapp with PHP
(user1)   (revproxy.example.com)       (webapp.example.com)

The user and both apache application have accounts in the AD-domain (example.com), which runs on Samba (4.16)

When no authentication is setup on the revproxy, the user ticket is sent to HTTP/[email protected] is sent straight to the webappserver.
Obviously the webserver is not able to decrypt the ticket and returns an error:

PHP Warning:  KRB5NegotiateAuth::doAuthentication(): 
Cannot decrypt ticket for HTTP/[email protected] using keytab key for HTTP/[email protected] (100005) 

Now when I add mod_gssapi with s4u2proxy on the revproxy server like this:

<Location /myapp>
    AuthName "App Login"
    AuthType GSSAPI
    GssapiSSLonly On
    GssapiUseS4U2Proxy On
    GssapiCredStore keytab:/etc/keytab/svc_revproxy_apache.keytab
    GssapiCredStore client_keytab:/etc/keytab/svc_revproxy_apache.keytab
    GssapiCredStore ccache:DIR:/run/apache2/krb5_ccache
    GssapiDelegCcacheDir /run/apache2/krb5_delegation_ccache
    GssapiAllowedMech krb5
    require valid-user
    
    ProxyPass https://webapp.example.com/myapp
    ProxyPassReverse https://webapp.example.com/myapp
</Location>

The keytab /etc/keytab/svc_revproxy_apache.keytab contains HTTP/[email protected]
The account svc_revproxy_apache is configured to allow constrained delegation to svc_webapp_apache (which is the account used by the backend webapp server)

When I connect to the revproxy server as user1, I see a file [email protected] getting stored in /run/apache2/krb5_delegation_ccache, which tells me that the interaction with the KDC works as expected. The traffic is forwarded to webapp.example.com but the ticket never gets proxied / changed by s4u2proxy and hence it reaches the webapp server as HTTP/[email protected] resulting in the same error as shown above.

What is it I am doing wrong here?

• Kees.

[fjf2002]

ping any news on this question?

[simo5]

Well the problem is that there is nothing that is doing the actual delegation.

The support in mod_auth_gssapi is written from the pov of an application that does something and then uses delegated credentials to access some other resource.

It is not written for a proxy situation where nothing happens on the proxy itself except authentication.

In order to work in the proxy case we'd have to grow an additional option to have mod_auth_gssapi initialize a session with the target of the proxy.

There are challenges here though. First of all only one shot session setups will probably work, because mod_auth_gssapi would not be invoked (normally) if the target server returns a GSS_S_CONTINUE_NEEDED error instead of GSS_S_COMPLETE.

It is also not clear to me that we can add authorization headers to the proxy outgoing call, that may require additional configuration that copies some variables that mod_auth_gssapi sets.

I have not looked into this scenario before, so it is unclear how much can be mad to work for the proxying case.

[fjf2002]

@simo5 thanks for the clarification. I realized that in my use case, I can workaround this issue and anyway build kerberos auth by

• Giving my webserver the keytab of my reverse proxy (i. e. containing the HTTP/[email protected] SPN),
• or alternatively: Use domain splitting. Company-internal users may use kerberos and shall access the webserver directly without the reverse proxy; external users may not use kerberos and shall access through the reverse proxy.