Hello, I am trying to understand the architecture for Apache kerberos:
1. I have a commercial J2EE web application (JIRA) running on tomcat (https:// app1.mycomp.com:7100/JIRA) JIRA allows kerberos authentication. 2. I know I need to install apache with auth_kerb_module (also on https://app1.mycom.com:443) 3. We are using MS AD 4. I know I need to create a service principal for the apache server and key tab file, then configure httpd.conf, etc, etc QUESTION #1: Once I have the above in place, how does this all work in terms of user function? For instance: A) Windows Client workstation will pull up a page on the apache server ( https://app1.mycom.com:443/portal_jira.html ??) that references the JIRA application, and the user clicks on the JIRA link. B) The credentials of the user on the windows client workstation are passed to the apache server for validation against AD, which then results in a ticket sent back to the client workstation browser C) the ticket is then sent by the browser to the JIRA application (https:// app1.mycomp.com:7100/JIRA) which validates the ticket and allows the user in ??? QUESTION #2 A) What would the apache config look like given the above scenerio? <VirtualHost *:443> SSLEngine on SSLCertificateFile /etc/pki/tls/certs/mypubliccert.pem SSLCertificateKeyFile /etc/pki/tls/private/privatekey.pem ProxyPreserveHost On ProxyRequests Off ServerName app1.mycomp.com ProxyPass / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/ SSLProxyEngine On <Location /> AuthType Kerberos AuthName "Jira Kerberos Auth" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms MYREALM Krb5KeyTab /etc/httpd/httpd.keytab KrbLocalUserMapping On require valid-user RequestHeader set X-Forwarded-User %{REMOTE_USER}s </Location> </VirtualHost> Thank you for ANY and ALL help!! Ed
