0

I have very limited knowledge on mod_auth_keb or SPNEGO protocols, Yet we are looking to implement the below approach for gaining Single-signon access(Against Microsoft AD with NT domain users authorization) to a number of applications that are deployed on our weblogic(10.3.6) cluster(some them are deployment on different domains) that run on a Redhat cluster. At the moment all of requests are load-balanced through apache http server via mod_wl connector.

The idea is to have Authentication Service and the ticket granting services installed over Apache for initial authorization (with help of mod_auth_kerb or other auth_kerb modules for windows-authentication using windows-authentication with kbr5 keytab host configurations) and upon authorization direct/load-balance the requests to Weblogic specific contexts with REMOTE_USER headers.

Was interested to check if someone has setup that works at a production scale and was wondering if they can share setup information after getting their Kerberos configuration for Apache working along with apache-weblogic bridge.

Three exchanges are involved when the client initially access a server resource: AS exchange (circles 1 and 2), TGS exchange (circles 3 and 4) and finally a client/server exchange (request shown as circle 5).

Thanks in advance ! Rahul

Rahul Anand
  • 1
  • 1
  • Why do you want to authenticate in Apache? Why not let Apache be just a load balancer/proxy and do all Kerberos stuff in Weblogic? – misha2400 Sep 15 '16 at 18:31
  • 1). One can use similar schema wider range of domains, with having to replicate the configuration and have scheme of single sign on infrastructure developed for range of applications rather than focusing at app/instance wise 2). Reduce overload on app servers. 3). I can think of protecting static web content that i'm hosting on Apache instead of having it on app server to secure it. – Rahul Anand Sep 16 '16 at 02:26

0 Answers0