I am sorry I missed the proxy aspect in you original mail. But proxy with Kerberos in general is not a simple thing to do and should be avoided. Some hints on how to deal with proxy if you want Kerberos to work can be found here. https://ssimo.org/blog/id_019.html I am not sure whether they are applicable to your situation or not.
The user service ticket needs to get to your actual wiki and it should match the wiki service principal and key in the keytab. If proxy gets in the way you will have issues. What you can do is try KDC proxy instead of the reverse proxy. https://github.com/latchset/kdcproxy/blob/master/README Dmitri On Fri, Jul 13, 2018 at 9:13 PM, Jaap Winius <jwin...@umrk.nl> wrote: > > Quoting Dmitri Pal <d...@redhat.com>: > > You can use an older package called mod_auth_kerb. >> It is not recommended as mod_auth_gssapi much better but if you distro >> does >> not have it you might not have a choice. >> > > Sorry, but I neglected to say that I already had libapache2-mod-auth-kerb > installed on both servers; it's what I've been using for some time to > support Kerberos authentication for directly connected users. But, I guess > that package is just not good enough for the proxy configuration that I > have in mind. > > Cheers, > > Jaap > > -- Thank you, Dmitri Pal Engineering Director, Identity Management and Platform Security Red Hat, Inc. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos