Getting keberos to work through a reverse proxy

Aug 4, 2011 at 6:27 PM

I've got a webapp running in a tomcat, I'm using the waffle filter and I can connect to this tomcat and be logged in using my windows username. However, I also have a simple reverse proxy between the two (also running in tomcat). Note all the boxes are windows server 2003.

So, I want to be able to go to http://proxy/ and for my request and credentials to be forwarded on to the backend server. I'd rather not have to configure authentication on the proxy, I'd prefer to let the backend server handle this, but I'm open to any suggestions that work.

I'm running the proxy tomcat as a service, under a service user. I believe I have the relevant SPNs set up, and have told active directory that the server 'proxy' is trusted for delegation.

However, when I try to browse to http://proxy/test.html, the request gets proxied onto the backend server, and waffle on the backend authenticates, but the request is authenticated using the user that the proxy is running as, not the user making the original request in the web browser. I have tried putting the waffle filter on the proxy, and turning on 'impersonate', but that seems to result in the backend server thinking the user is "NT AUTHORITY\ANONYMOUS LOGON".

I am going about this in completely the wrong way, have I totally mis-understood something? Or have I just missed a step somewhere?

Note that the waffle logs seem to show it trying to authenticate using NTLM in some situations and 'negotiate' in others. I'm currently using IE6, I have followed all the steps I can find make it use kerberos (I believe that ntlm will not work with a proxy in the middle), but I'm not totally convinced that it is.

Any suggestions greatly appreciated.

Aug 4, 2011 at 7:41 PM

Just a thought but we fronted our JBoss with Apache (proxy) and it's working properly could you do that? or do yo really need another tomcat server as a proxy.

Our only issue at moment is if Apache uses SSL it’s not working on a Win 7 client but we hope to find a resolution soon.


Aug 4, 2011 at 11:06 PM

@waffleiron: To put things simply, I believe the proxy problem goes like this. You go to box PROXY at an address X, so the client thinks it's talking to PROXY @ X. It encrypts things "for PROXY @ X". When you proxy that further to SERVER @ Y, SERVER @ Y has no idea what to do with this information. This avoids someone pretending that he's someone else on a domain. Of course it could be simpler and your proxy is just stripping headers, so I would look for that. There's something else called proxy authentication that's quite involved that enables the whole delegation from X -> Y of Kerberos, but I don't know how to do this.

@mmirabito: we'll separate the SSL issue, that's something very different, but you're right there's no need for a proxy unless you're trying to load-balance or terminate SSL on the first server. 

Aug 8, 2011 at 8:33 AM

@mmirabito: the reverse proxy does a lot of application specific stuff, I'm keen to avoid having to port that logic to something like apache, but it is an option.

@dblock: you are correct, that is exactly the problem. I'm using VMs to test this, so I've gone back to a set of blank VMs and set everything up from scratch. I can now get trusted delegation to work properly, but only if proxy server and backend server both use the waffle filter. I would like one of them to use the waffle tomcat valve, as I want to be able to lock urls down by role, and the documentation seems to suggest that this is not possible if only using the filter.

I'm not sure what I've done differently to configure my environment this time, but as it works with the filters I guess it works correctly. Enabling impersonation on the waffle filter on the reverse proxy means that the backend server does get the credentials for the original user who logs on in the web-browser. Using the valve for either one of these servers means that the backend server receives the credentials of the user that the reverse proxy server is running as. It looks as if the proxy fails to do kerberos to the backend server, and falls back to NTLM. I can't understand why this would happen when using the valve but not the filter, unless I am configuring the valve incorrectly.

Aug 8, 2011 at 3:54 PM

I am not sure what to do from here, I would try to understand how proxy auth is supposed to work with Negotiate/NTLM, but this is something I know nothing about. I would try Platform SDK discussion group.