Как обрабатывать разные имена серверов с помощью SPN, apache2 в OpenShift и аутентификации Kerberos SSO

Question

Я пытаюсь создать универсальный c веб-сервер apache2 в качестве аутентификационного «шлюза».

Сценарий: кто-то просматривает spn-servername.active-directory.int/secure, apache должен попытаться использовать kerberos для проверки пользователя (в лучшем случае с SSO) и перенаправьте его на бэкэнд / другой веб-сервис.

Это работает до такой степени, что аутентификация и SSO успешны, но я не знаю, как обобщить его для разных контейнеров в OpenShift и используйте того же пользователя Active Directory.

Проблема в том, что, если я изменю servername контейнера и apache conf servername, аутентификация все еще работает, но SSO не удается. Я думаю, это потому, что SPN пользователя активного каталога и servername отличаются? Я хочу развернуть разные приложения с разными именами серверов без изменения имени пользователя / таблицы ключей.

Как лучше настроить несколько шлюзов аутентификации apache с разными именами хостов, но с одним и тем же пользователем Active Directory?

000default.conf

<VirtualHost *:80>
  ServerName generic-hostname.active-directory.int

  DocumentRoot "/var/www/html"

    <IfModule !mod_auth_kerb.c>
        LoadModule auth_gssapi_module /usr/lib/apache2/modules/mod_auth_gssapi.so
    </IfModule>

  LimitRequestFieldSize 32768
  <Location "/secure">
    AuthType GSSAPI
    AuthName "GSSAPILogin"
    GssapiBasicAuth On
    GssapiCredStore keytab:/etc/http.keytab
    require valid-user
  </Location>

  LogLevel debug
  ErrorLog /var/log/apache2/sso.test.local-error.log
  CustomLog /var/log/apache2/sso.test.local-access.log combined
</VirtualHost>

создание ключей:

ktpass -princ HTTP/spn-servername.active-directory.int@active-directory.int -mapuser sysaccount99@active-directory.int -pass mysecret -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\Temp\http.keytab

Пользователь Active Directory:

displayName: sysaccount99
sAMAccountName: sysaccount99
userPrincipalName: HTTP/spn-servername.active-directory.int@active-directory.int
servicePrincipalName: : HTTP/spn-servername.active-directory.int@active-directory.int and HTTP/spn-servername.active-directory.int

/ var / log / apache2 / sso.test. local-error.log, если SSO не работает:

[Wed Jan 08 14:00:11.964555 2020] [core:trace5] [pid 871:tid 139656674920192] protocol.c(653): [client 192.168.56.1:55607] Request received from client: GET /secure/ HTTP/1.1
[Wed Jan 08 14:00:11.964643 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(394): [client 192.168.56.1:55607] Headers received from client:
[Wed Jan 08 14:00:11.964649 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   Host: generic-hostname.active-directory.int
[Wed Jan 08 14:00:11.964652 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0
[Wed Jan 08 14:00:11.964655 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[Wed Jan 08 14:00:11.964658 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   Accept-Language: de,en-US;q=0.7,en;q=0.3
[Wed Jan 08 14:00:11.964661 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   Accept-Encoding: gzip, deflate
[Wed Jan 08 14:00:11.964664 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   Connection: keep-alive
[Wed Jan 08 14:00:11.964667 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   Upgrade-Insecure-Requests: 1
[Wed Jan 08 14:00:11.964707 2020] [authz_core:debug] [pid 871:tid 139656674920192] mod_authz_core.c(809): [client 192.168.56.1:55607] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Jan 08 14:00:11.964713 2020] [authz_core:debug] [pid 871:tid 139656674920192] mod_authz_core.c(809): [client 192.168.56.1:55607] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Jan 08 14:00:11.964728 2020] [auth_kerb:debug] [pid 871:tid 139656674920192] src/mod_auth_kerb.c(1971): [client 192.168.56.1:55607] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Jan 08 14:00:11.964734 2020] [core:trace3] [pid 871:tid 139656674920192] request.c(119): [client 192.168.56.1:55607] auth phase 'check user' gave status 401: /secure/
[Wed Jan 08 14:00:11.964796 2020] [http:trace3] [pid 871:tid 139656674920192] http_filters.c(1129): [client 192.168.56.1:55607] Response sent with status 401, headers:
[Wed Jan 08 14:00:11.964804 2020] [http:trace5] [pid 871:tid 139656674920192] http_filters.c(1136): [client 192.168.56.1:55607]   Date: Wed, 08 Jan 2020 14:00:11 GMT
[Wed Jan 08 14:00:11.964807 2020] [http:trace5] [pid 871:tid 139656674920192] http_filters.c(1139): [client 192.168.56.1:55607]   Server: Apache/2.4.18 (Ubuntu)
[Wed Jan 08 14:00:11.964810 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607]   WWW-Authenticate: Negotiate
[Wed Jan 08 14:00:11.964813 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607]   WWW-Authenticate: Basic realm=\\"
[Wed Jan 08 14:00:11.964816 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607]   Content-Length: 479
[Wed Jan 08 14:00:11.964819 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607]   Keep-Alive: timeout=5, max=100
[Wed Jan 08 14:00:11.964822 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607]   Connection: Keep-Alive
[Wed Jan 08 14:00:11.964824 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607]   Content-Type: text/html; charset=iso-8859-1
[Wed Jan 08 14:00:11.974410 2020] [core:trace5] [pid 871:tid 139656658134784] protocol.c(653): [client 192.168.56.1:55607] Request received from client: GET /secure/ HTTP/1.1
[Wed Jan 08 14:00:11.974456 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(394): [client 192.168.56.1:55607] Headers received from client:
[Wed Jan 08 14:00:11.974469 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Host: generic-hostname.active-directory.int
[Wed Jan 08 14:00:11.974473 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0
[Wed Jan 08 14:00:11.974476 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[Wed Jan 08 14:00:11.974479 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Accept-Language: de,en-US;q=0.7,en;q=0.3
[Wed Jan 08 14:00:11.974482 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Accept-Encoding: gzip, deflate
[Wed Jan 08 14:00:11.974484 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Connection: keep-alive
[Wed Jan 08 14:00:11.974487 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Upgrade-Insecure-Requests: 1
[Wed Jan 08 14:00:11.974490 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Authorization: Negotiate TlRMLLVNTUAABAAKKl4II4gAAAAAAAABBBBBBBBAAAAGA4AlAAAADw==
[Wed Jan 08 14:00:11.974524 2020] [authz_core:debug] [pid 871:tid 139656658134784] mod_authz_core.c(809): [client 192.168.56.1:55607] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Jan 08 14:00:11.974529 2020] [authz_core:debug] [pid 871:tid 139656658134784] mod_authz_core.c(809): [client 192.168.56.1:55607] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Jan 08 14:00:11.974561 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1971): [client 192.168.56.1:55607] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Jan 08 14:00:11.974598 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1722): [client 192.168.56.1:55607] Verifying client data using KRB5 GSS-API 
[Wed Jan 08 14:00:11.974671 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1738): [client 192.168.56.1:55607] Client didn't delegate us their credential
[Wed Jan 08 14:00:11.974676 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1766): [client 192.168.56.1:55607] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
[Wed Jan 08 14:00:11.974681 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1159): [client 192.168.56.1:55607] GSS-API major_status:00010000, minor_status:00000000
[Wed Jan 08 14:00:11.974688 2020] [auth_kerb:error] [pid 871:tid 139656658134784] [client 192.168.56.1:55607] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)
[Wed Jan 08 14:00:11.974696 2020] [core:trace3] [pid 871:tid 139656658134784] request.c(119): [client 192.168.56.1:55607] auth phase 'check user' gave status 401: /secure/
[Wed Jan 08 14:00:11.974712 2020] [http:trace3] [pid 871:tid 139656658134784] http_filters.c(1129): [client 192.168.56.1:55607] Response sent with status 401, headers:
[Wed Jan 08 14:00:11.974716 2020] [http:trace5] [pid 871:tid 139656658134784] http_filters.c(1136): [client 192.168.56.1:55607]   Date: Wed, 08 Jan 2020 14:00:11 GMT
[Wed Jan 08 14:00:11.974718 2020] [http:trace5] [pid 871:tid 139656658134784] http_filters.c(1139): [client 192.168.56.1:55607]   Server: Apache/2.4.18 (Ubuntu)
[Wed Jan 08 14:00:11.974722 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607]   WWW-Authenticate: Basic realm=\\"
[Wed Jan 08 14:00:11.974725 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607]   Content-Length: 479
[Wed Jan 08 14:00:11.974731 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607]   Keep-Alive: timeout=5, max=99
[Wed Jan 08 14:00:11.974734 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607]   Connection: Keep-Alive
[Wed Jan 08 14:00:11.974737 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607]   Content-Type: text/html; charset=iso-8859-1