Topic: Apache2 kerberos SSO through reverse proxy

[Vidar]

Hi,

I'm trying to do a setup of alfresco.It has two basic sites. http://servername:port/alfresco and http://servername:port/share. Both use kerberos authentication. Alfresco has SSO and share has not. Both sites are on the same server (its just one site but different subs)

I want to put this behind a reverse proxy to eliminate the servername:port combination.

When I put it in a normal config with ajp everything works fine for the share website. I can login without problems. Not so however for the alfresco website. I get a browser login request (not the alfresco one) when i enter my credentials he asks them again and again and then he ends on the regular login page of alfresco at which point everything works. The username I entered is displayed at this point. When I do not enter my credentials correct I do not reach the page.

If I remove the SSO from the alfresco website everything is normal (but i have to login)

Anybody an idea? If the backend can authenticate I don't see why this is actually happening.

[jraute]

I am sorry, but this is not a problem of the apache working as reverse proxy, but a problem of the tomcat/apache configuration on the alfresco-server.
We have had the same problem with our alfresco system and it was solved on the alfresco side.

Unfortunately i don't know what was changed in the configuration - when the alfresco admin changed the settings i have not been there.

Besides this the behaviour changed with the last alfresco-updates several times. So be aware of the patch-level.

Greets
JR

[Vidar]

And how did you do the config then?

just a proxypass with the ajp connector?
Do i need to auth the clients in apache through mod_auth_kerb or mod_auth_SSPI?

No rewrite?

[jraute]

Our reverse proxy configuration is simple: