HAProxy in front of SSO Apache Tomcat

Help!
1

Hello,

I would like to ask for help with correct HAProxy setup.

I have Apache tomcat servers configured with sso_krb.
I need advice if haproxy can act as load balancer in front of SSO server or if i can redirect the incoming request directly against the backend server.
Any help is highly appreciated.

If I login via Haproxy in tcp mode it send its own IP address to backend server and SSO fails:

2016-11-04 11:13:13,621 INFO http-bio-8777-exec-8 [IGatePluginServlet] Request IP-address: 10.249.2.237
2016-11-04 11:13:13,621 INFO http-bio-8777-exec-8 [IGatePluginServlet] Profiling: Startup
2016-11-04 11:13:13,622 INFO http-bio-8777-exec-8 [SSOKerberosServletPlugin] No ‘Authorization’ in header!
2016-11-04 11:13:13,622 INFO http-bio-8777-exec-8 [IGateProfiling] ?#TOTAL|162|10.249.2.237;plugin/ssokrb;Y;1||
2016-11-04 11:13:14,079 INFO http-bio-8777-exec-8 [IGatePluginServlet] Request IP-address: 10.249.2.237
2016-11-04 11:13:14,079 INFO http-bio-8777-exec-8 [IGatePluginServlet] Profiling: Startup
2016-11-04 11:13:14,080 INFO http-bio-8777-exec-8 [SSOKerberosServletPlugin] Authorization token length: 66
2016-11-04 11:13:14,080 INFO http-bio-8777-exec-8 [SSOKerberosServletPlugin] Kerberos token: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
2016-11-04 11:13:14,080 INFO http-bio-8777-exec-8 [SSOKerberosServletPlugin] It is probably a NTLM token and not a Kerberos one because it starts with TlRM
2016-11-04 11:13:14,299 ERROR http-bio-8777-exec-8 [SSOKerberosServletPlugin] Token: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
java.lang.RuntimeException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

When I connect directly to tomcat server from my computer it works:

2016-11-04 14:16:32,068 INFO http-bio-8777-exec-20 [SupportedBrowsersVerification] Verify browser <Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36>
2016-11-04 14:16:39,303 INFO http-bio-8777-exec-11 [IGatePluginServlet] Request IP-address: 10.242.80.116
2016-11-04 14:16:39,303 INFO http-bio-8777-exec-11 [IGatePluginServlet] Profiling: Startup
2016-11-04 14:16:39,303 INFO http-bio-8777-exec-11 [SSOKerberosServletPlugin] No ‘Authorization’ in header!
2016-11-04 14:16:39,304 INFO http-bio-8777-exec-11 [IGateProfiling] ?#TOTAL|166|10.242.80.116;plugin/ssokrb;Y;1||
2016-11-04 14:16:40,751 INFO http-bio-8777-exec-11 [IGatePluginServlet] Request IP-address: 10.242.80.116
2016-11-04 14:16:40,752 INFO http-bio-8777-exec-11 [IGatePluginServlet] Profiling: Startup
2016-11-04 14:16:40,752 INFO http-bio-8777-exec-11 [SSOKerberosServletPlugin] Authorization token length: 4310
2016-11-04 14:16:40,752 INFO http-bio-8777-exec-11 [SSOKerberosServletPlugin] Kerberos token: YIIMkwYGKwYBBQUCoIIMhzCCDIOgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCDE0EggxJYIIMRQYJKoZIhvcSAQICAQBuggw0MIIMMKADAgEFoQMCAQ6iBwMFACAAAACjggq5Y…

2016-11-04 14:16:40,978 INFO http-bio-8777-exec-11 [SSOKerberosServletPlugin] Security context successfully initialised!
2016-11-04 14:16:40,979 INFO http-bio-8777-exec-11 [giop] ClientConnectionManager: found ClientGIOPConnection to 127.0.0.1:10023 (1cae2b6c)
2016-11-04 14:16:40,980 INFO http-bio-8777-exec-11 [iiop] Connected to 127.0.0.1:10023 from local port 55719
2016-11-04 14:16:41,119 INFO http-bio-8777-exec-11 [SSOKerberosServletPlugin] Use redirect for login page
2016-11-04 14:16:41,119 INFO http-bio-8777-exec-11 [IGateProfiling] ?#TOTAL|167|10.242.80.116;plugin/ssokrb/spise/velocity/session/session_init.vm;Y;367||
2016-11-04 14:16:42,115 INFO http-bio-8777-exec-11 [SupportedBrowsersVerification] Verify browser <Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36>

2

Hello,

can somebody help me understand what is the best configuration for HAProxy when SSO and kerberos is involved?

I found this refference for Aloha:
https://www.haproxy.com/doc/aloha/7.0/deployment_guides/tls_layouts.html#ssl-tls-passthrough

Thanks