SSO Authentication for multi Active Directory domains

There is an Nginx server configured for SSO authenticatio with one domain using krb5 and spnego-http-auth-nginx-module

How can you configure dual domain authentication?

The solution is preferably using Nginx without Apache, if available.

Config sources:

• /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = DOMAIN.TEST
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 DOMAIN.TEST = {
  kdc = domain.test
  admin_server = domain.test
 }

[domain_realm]
 .test.local = DOMAIN.TEST
 test.local = DOMAIN.TEST

• /etc/nginx/conf.d/django.conf

server {
    listen       80;
    server_name  django.test.local;
    access_log  /var/log/nginx/host.access.log  main;

    location / {
        try_files $uri @backend;

        auth_gss on;
        auth_gss_realm DOMAIN.TEST;
        auth_gss_keytab /etc/krb5.keytab;
        auth_gss_service_name HTTP/django.test.local;
        auth_gss_allow_basic_fallback on;
    }

    location @backend {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-User $remote_user;
        proxy_redirect off;
        proxy_pass http://0.0.0.0:8000;
    }
}

• Combine domains keytab files (source)

ktutil
read_kt domain1.keytab
read_kt domain2.keytab
write_kt /etc/krb5_multidomain.keytab
quit

• Edit /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 # default_realm = DOMAIN.TEST
 # default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 DOMAIN.TEST = {
  kdc = domain.test
  admin_server = domain.test
 }
 DOMAIN2.TEST = {               # append string
  kdc = domain2.test            # append string
  admin_server = domain2.test   # append string
 }                              # append string

[domain_realm]
 .test.local = DOMAIN.TEST
 test.local = DOMAIN.TEST
 .test.local = DOMAIN2.TEST       # append string
 test.local = DOMAIN2.TEST        # append string

• Edit /etc/nginx/conf.d/django.conf

server {
    listen       80;
    server_name  django.test.local;
    access_log  /var/log/nginx/host.access.log  main;

    location / {
        try_files $uri @backend;        

        auth_gss on;
        # auth_gss_realm DOMAIN.TEST;
        auth_gss_format_full on;                       # append string
        auth_gss_keytab /etc/krb5_multidomain.keytab;  # change string
        auth_gss_service_name HTTP/django.test.local;
        auth_gss_allow_basic_fallback on;
    }

    location @backend {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-User $remote_user;
        proxy_redirect off;
        proxy_pass http://0.0.0.0:8000;
    }
}