logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache2 kerberos SSO through reverse proxy
Author
Vidar



Joined: 24 Apr 2014
Posts: 3
Location: Belgium

PostPosted: Thu 24 Apr '14 11:13    Post subject: Apache2 kerberos SSO through reverse proxy Reply with quote

Hi,

I'm trying to do a setup of alfresco.It has two basic sites. http://servername:port/alfresco and http://servername:port/share. Both use kerberos authentication. Alfresco has SSO and share has not. Both sites are on the same server (its just one site but different subs)

I want to put this behind a reverse proxy to eliminate the servername:port combination.

When I put it in a normal config with ajp everything works fine for the share website. I can login without problems. Not so however for the alfresco website. I get a browser login request (not the alfresco one) when i enter my credentials he asks them again and again and then he ends on the regular login page of alfresco at which point everything works. The username I entered is displayed at this point. When I do not enter my credentials correct I do not reach the page.

If I remove the SSO from the alfresco website everything is normal (but i have to login)

Anybody an idea? If the backend can authenticate I don't see why this is actually happening.
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany

PostPosted: Thu 24 Apr '14 15:13    Post subject: Reply with quote

I am sorry, but this is not a problem of the apache working as reverse proxy, but a problem of the tomcat/apache configuration on the alfresco-server.
We have had the same problem with our alfresco system and it was solved on the alfresco side.

Unfortunately i don't know what was changed in the configuration - when the alfresco admin changed the settings i have not been there. Neutral

Besides this the behaviour changed with the last alfresco-updates several times. So be aware of the patch-level.

Greets
JR
Back to top
Vidar



Joined: 24 Apr 2014
Posts: 3
Location: Belgium

PostPosted: Fri 25 Apr '14 10:13    Post subject: Reply with quote

And how did you do the config then?

just a proxypass with the ajp connector?
Do i need to auth the clients in apache through mod_auth_kerb or mod_auth_SSPI?

No rewrite?
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany

PostPosted: Fri 25 Apr '14 10:45    Post subject: Reply with quote

Our reverse proxy configuration is simple:

Code:

<VirtualHost *:443>

(other definitions)

########################
# Section for Alfresco #
########################

<Location /alfresco>
   ProxyPreserveHost Off
   ProxyPass http://alfresco-server.domain.com/alfresco
   ProxyPassReverse http://alfresco-server.domain.com/alfresco
   SetEnv proxy-initial-not-pooled
   Header append Vary User-Agent env=!dont-vary
</Location>

<Location /share>
   ProxyPreserveHost Off
   ProxyPass http://alfresco-server.domain.com/share
   ProxyPassReverse http://alfresco-server.domain.com/share
   SetEnv proxy-initial-not-pooled
   Header append Vary User-Agent env=!dont-vary
</Location>

</VirtualHost>


No rewrite!
Back to top


Reply to topic   Topic: Apache2 kerberos SSO through reverse proxy View previous topic :: View next topic
Post new topic   Forum Index -> Apache