Apache reverse proxy backend authentication - apache

I've setup apache reverse proxy for my application with ldap authentication.
The problem is that the backend application also requires authentication.
After I entered ldap credentials, it always returns 401 and doesn't prompt for the application authentication.
The backend uses different credentials.

Assuming that the backend-server uses the very same LDAP authentication as the frontend you might want to have a look env var proxy-chain-auth in docs for mod_proxy_http.

Related

How to send the WWW-Authenticate header using Keycloak using LDAP Kerberos

As per the Keycloak manual, the Kerberos authentication flow should be like:
https://www.keycloak.org/docs/latest/server_admin/#configuring-a-kerberos-storage-provider
A typical use case for web authentication is the following:
1. User logs into his desktop (Such as a Windows machine in Active Directory domain or Linux machine with Kerberos integration enabled).
2. User then uses his browser (IE/Firefox/Chrome) to access a web application secured by Keycloak.
3. Application redirects to Keycloak login.
4. Keycloak renders HTML login screen together with status 401 and HTTP header WWW-Authenticate: Negotiate
...
However, I'm not getting the WWW-Authenticate header after sending the login. What I'm getting is a 302 (Redirect) to the Realm but with no header !!
Please note the following:
Keycloak
1 - User Federation LDAP configuration in Keycloak works correctly, I can login and sync the LDAP users.
2 - Kerberos integration is set and the keytab file works correctly since I can do LDAP search from the console
3 - In the Keycloak Authentication flow Kerberos is enabled and required.
Client
1 - I had added the server URL to the Internet sites.
If you have any idea why the [WWW-Authenticate: Negotiate] header is not being sent I'll appreciate it.

Outsourcing Grafana's authentication process to my application server

Background:
I have an application server that has an endpoint of /api/token. What this API does is it performs authentication against the supplied username and password using the standard basic authentication protocol.
When the process is successful, it returns an access token and HTTP code of 200 (OK). When fails, HTTP code 401 (unauthorised) is returned.
Question: Is there any way I can make Grafana's login page to pass on the login credential to my application server for authentication?
No, unless you want to hack source code.
But you can use Grafana in auth proxy mode, where authentication will be made by some "auth" proxy. For example, auth will be made by reverse proxy (e.g. Apache+mod_authnz_external) which will be in front of Grafana. All auth logic will be there and Grafana will just receive the request with request header X-WEBAUTH-USER value when user authentication is successful.
Another option is to start OIDC Identity Provider (for example Keycloak), which will use your app auth endpoint for authentication. Grafana has native OIDC/OAuth support, so it will be just configured against your OIDC Identity Provider.

Running IdentityServer3 in IIS with Anonymous authentication disabled

Is it possible to run IdentityServer3 in IIS (hosted in IIS) with only Windows Authentication enabled? Is it mandatory to have anonymous authentication also enabled? if so, why anonymous authentication is required?
I am running "MVC OWIN Client (Hybrid)" sample application and try to access the IdentityServer3, which is configured only with Windows Authentication in IIS. I am getting response as unauthorized, looks like "MVC OWIN Client (Hybrid)" sample is trying to access the ../dentityServer3/.well-known/openid-configuration' and failing, because anonymous is disabled.
Any suggestions?
The Microsoft OpenID Connect middleware makes a request to the discovery endpoint to download issuer metadata. This assumes that anonymous access is enabled.
You'd need to statically configure the middleware instead. You try to configure a BackChannelHandler that has Windows authentication enabled. Should work but haven't tried yet.

Apache mod_auth_kerb

I have a setup using apache and mod_auth_kerb to authenticate users and proxy them to the destination web server using a HTTP header with username (X-Remote-User).
How do i setup a proper logout mechanism from the destination web server?
- URL to call or similar?
Our setup works like this:
We have one url, which is protected by Kerberos:
/kerberos_login
Once client access it, Kerberos authentication is performed. If successful, client is redirected to / — this is not protected by Kerberos.
To log out, clients have to access logout url (that one is also not protected by Kerberos):
/logout

Basic Authentication for Axis2 throught Weblogic

I'm trying to add Basic Authentication for my web-service based on Axis2.
Tomcat successfully pass auth data to web-service code but weblogic uses this information for its purposes (tries to authenticate the request).
Is it possible to configure weblogic to allow passing auth data depends on URL for example?