Apache Reverse Proxy with Kerberos SSO

cancel
Showing results for 
Search instead for 
Did you mean: 
phivuu-2
Active Member II

Apache Reverse Proxy with Kerberos SSO

I have succesfully configured Kerberos and generated SPN + Keytabs to work when the Reverse Proxy is disabled. However I want it to work with the reverse proxy. From what I understand, I need to generate generate new SPN + Keytabs for the proxy DNS. Alfresco server runs on the same server as Apache reverse server.

Do I need to reconfigure krb5.ini, java.login.config and share-config-custom.xml anything?

  • krb5.ini: Points to the AD server
  • java.login.config: Currently points to the alfresco server which runs apache reverse proxy(not using the proxy DNS).
  • share-config-custom.xml: Kerberos endpoint-spn points to the alfresco server which runs apache reverse proxy(not using the proxy DNS). Remote section uses localhost.

The proxy DNS is alfrescotest.jonkoping.se. Are the commands correct or did I add one .jonkoping.se too many?

setspn -a cifs/alfrescotest.jonkoping.se alfrescocifs
setspn -a cifs/alfrescotest.jonkoping.se.jonkoping.se alfrescocifs
setspn -a HTTP/alfrescotest.jonkoping.se alfrescohttp
setspn -a HTTP/alfrescotest.jonkoping.se.jonkoping.se alfrescohttp

ktpass -princ cifs/alfrescotest.jonkoping.se.jonkoping.se@jonkoping.se -pass Password -mapuser jonkoping\alfrescocifs -crypto ALL -ptype KRB5_NT_PRINCIPAL -out d:\temp\alfrescocifs.keytab -kvno 0

ktpass -princ HTTP/alfrescotest.jonkoping.se.jonkoping.se@jonkoping.se -pass Password -mapuser jonkoping\alfrescohttp -crypto ALL -ptype KRB5_NT_PRINCIPAL -out d:\temp\alfrescohttp.keytab -kvno 0

 

Lastly, do I need to configure Apache httpd.conf anything to forward the headers to alfresco repository?