0

I have a working internal Apache server configured with mod_auth_kerb. I also have an external Apache server that proxies connections to the internal.

When users connect internally with their domain accounts, SSO using kerberose works. When accessing externally, they are prompted for a usersname and password. This setup has worked until we implemented a second domain (aka realm).

Internally, users on either domain can authenticate. But externally, after entering in credentials, the internal server reports

[Mon Sep 24 11:17:17.482681 2018] [auth_kerb:error] [pid 10547:tid 140441496266496] [client 10.200.3.36:49484] failed to verify krb5 credentials: Server not found in Kerberos database, referer: https://server.com/

and the proxy reports

Mon Sep 24 11:17:18.127581 2018] [proxy_http:error] [pid 2539] (70014)End of file found: [client xxx.xxx.xxx.xxx:60926] AH01102: error reading status line from remote server server.com:443, referer: https://server.com/

I know I am missing something obvious.

Here is the config from the proxy

<VirtualHost *:443>
ServerName server.com
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/server.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.com.key
SSLCertificateChainFile /etc/pki/tls/certs/server.com.inter.crt
SSLProxyEngine On
ProxyPass "/" "https://server.com/"
ProxyPassReverse "/" "https://server.com/"
</VirtualHost>

Config from internal server

<VirtualHost *:443>
ServerName server.com
DocumentRoot /var/www/html/wordpress
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.com.crt"
SSLCertificateKeyFile "/etc/pki/tls/private/server.com.key"
SSLCertificateChainFile /etc/pki/tls/certs/server.com.inter.crt
SSLProtocol +TLSv1.2
SSLCipherSuite RSA:HIGH:-LOW:-RC4

<IF "'%{REMOTE_ADDR}' != '10.200.3.35' && '${REQUEST_URI}' != '/wp-admin'">
AuthType Kerberos
AuthName "Kerberos authenticated intranet"
KrbAuthRealms REALM1 REAM2
KrbServiceName Any
Krb5KeyTab /etc/httpd/merged.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd On
require valid-user
</IF>

<Directory "/var/www/html/wordpress">
AllowOverride All
</Directory>
</VirtualHost>

Keytab sample

slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    1 HTTP/server.com@REALM1
   2    1 HTTP/server.com@REALM1
   3    1 HTTP/server.com@REALM1
   4    1 HTTP/server.com@REALM1
   5    1 HTTP/server.com@REALM1
   6    1          HTTP/server.com@REALM2
   7    1          HTTP/server.com@REALM2
   8    1          HTTP/server.com@REALM2
   9    1          HTTP/server.com@REALM2
  10    1          HTTP/server.com@REALM2
TurboAAA
  • 27
  • 1
  • 10
  • That's a Kerberos error. What's in the Kerberos client config for your "external users"? Do they use AD? Do you also use AD as Kerberos KDC? If yes, same domain ? Is the "internal" server properly defined in the "external" DNS (canonical FQDN with consistent reverse lookup)? – Samson Scharfrichter Sep 24 '18 at 18:44
  • @SamsonScharfrichter In this case, the users are accessing the internal site using their personal cell phones. I want them to manually enter their username and password. Sadly, this was out of my control, we use separate internal and external DNS. Both the proxy and the internal site use the same FQDN but with different IPs depending on which server you ask. The internal works with both seamless SSO and with manually entering credentials. The proxy part is what is messing me up since adding the second realm. It used to work with just one. – TurboAAA Sep 26 '18 at 11:38

0 Answers0