Hi, there are these settings in RT:
# tells RT to use the REMOTE_USER provided by the web server Set($WebExternalAuth , 1); # tells RT to display its normal login screen if REMOTE_USER fails Set($WebFallbackToInternalAuth , 1); # tells RT to create users automatically if no user matching REMOTE_USER is found Set($WebExternalAuto , 1); I have them all set except the last one as we use LDAPImport. So I would expect RT to not drop the REMOTE_USER. Or is this obsolete? Best Regards, Oliver From: ruslan.zaki...@gmail.com [mailto:ruslan.zaki...@gmail.com] On Behalf Of Ruslan Zakirov Sent: Dienstag, 3. September 2013 21:47 To: Oliver Weinmann Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb Hi, Why do you expect remote server where you host RT to respect REMOTE_USER and not to drop it? If a web server would pass remotely provided REMOTE_USER further to an app without additional configuration then we wouldn't use it for authentication. On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann <oliver.weinm...@telespazio-vega.de<mailto:oliver.weinm...@telespazio-vega.de>> wrote: Hi all, we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb. Now we need to get the setup running through our reverse proxy. What we have on our reverse proxy is this: ProxyPass /rt/ http://hostname.local/rt/ max=100 ProxyPassReverse /rt/ http://hostname.local/rt/ RedirectMatch ^/$ /rt/ # Proxy all locations <Proxy *> AddDefaultCharset off Order deny,allow Deny from none </Proxy> <Location /rt> AuthType Kerberos AuthName "Kerberos Login" KrbAuthRealms KRB5.LOCAL Krb5KeyTab /etc/apache2/host.keytab KrbMethodNegotiate on KrbAuthoritative on KrbMethodK5Passwd off KrbSaveCredentials on require valid-user # SSO RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+)$ RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e </Location> Running tcpdump we can see that REMOTE_USER is set and send to the host hosting RT. It looks like RT is not picking it up. As far as I understood is that my user gets authenticated at the proxy and RT should trust these credentials and log in the user. -- Best regards, Ruslan.