Hi,

please take a look at inline comments:

On Mon, Oct 3, 2016 at 9:15 AM, <aleksey.maksimov@it-kb.ru> wrote:

Yes. Of course. Here are my configs.

=====================================================================================
# cat /etc/ovirt-engine/aaa/ovirt-sso.conf

<LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)>
RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
RequestHeader set X-Remote-User %{REMOTE_USER}s
AuthType Kerberos
AuthName "Kerberos Login"
Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
KrbAuthRealms AD.HOLDING.COM
#KrbMethodNegotiate on
#KrbMethodK5Passwd on
KrbMethodK5Passwd off
Require valid-user
</LocationMatch>

Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but in 4.0 we have quite new OAuth base SSO, so you need to use following configuration:

<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>
<If "req('Authorization') !~ /^(Bearer|Basic)/i">
RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
RequestHeader set X-Remote-User %{REMOTE_USER}s
AuthType Kerberos
AuthName "Kerberos Login"
Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
KrbAuthRealms AD.HOLDING.COM
KrbMethodK5Passwd off
Require valid-user
ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"

</If>

</LocationMatch>

Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you need to do following:

1. yum install mod_session mod_auth_gssapi

2. Use following Apache configuration

<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>
<If "req('Authorization') !~ /^(Bearer|Basic)/i">
    RewriteEngine on
    RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
    RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
    RequestHeader set X-Remote-User %{REMOTE_USER}s

    AuthType GSSAPI
    AuthName "Kerberos Login"

    # Modify to match installation
    GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab
    GssapiUseSessions On
    Session On
    SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;

    Require valid-user
    ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
</If>
</LocationMatch>

# ls -la /etc/httpd/conf.d/ovirt-*

-rw-r--r--. 1 root root 33 Jul 26 16:42 /etc/httpd/conf.d/ovirt-engine-root-redirect.conf
lrwxrwxrwx. 1 root root 36 Sep 30 00:06 /etc/httpd/conf.d/ovirt-sso.conf -> /etc/ovirt-engine/aaa/ovirt-sso.conf

=====================================================================================
# cat /etc/ovirt-engine/aaa/ad.holding.com.properties

include = <ad.properties>
vars.domain = ad.holding.com
pool.default.auth.simple.bindDN = s-oVirt-LS@${global:vars.domain}
pool.default.auth.simple.password = Passw0rd
pool.default.dc-resolve.enable = false
search.default.dc-resolve.enable = false
search.ad-resolve-upn.search-request.baseDN = DC=ad,DC=holding,DC=com
pool.default.serverset.type = failover
pool.default.serverset.failover.00.server = kom-dc01.${global:vars.domain}
pool.default.serverset.failover.01.server = kom-dc02.${global:vars.domain}
pool.default.serverset.failover.port = 636
pool.default.serverset.failover.domain = ${global:vars.domain}
pool.default.ssl.enable = true
pool.default.ssl.protocol = TLSv1.2
pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.domain}.jks
pool.default.ssl.truststore.password = changeit

=====================================================================================
# cat /etc/ovirt-engine/extensions.d/ad.holding.com-authz.properties

ovirt.engine.extension.name = ad.holding.com-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/ad.holding.com.properties

=====================================================================================
# cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-authn.properties

ovirt.engine.extension.name = ad.holding.com-http-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = ad.holding.com-http
ovirt.engine.aaa.authn.authz.plugin = ad.holding.com-authz
ovirt.engine.aaa.authn.mapping.plugin = ad.holding.com-http-mapping
config.artifact.name = HEADER
config.artifact.arg = X-Remote-User

=====================================================================================
# cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-mapping.properties

ovirt.engine.extension.name = ad.holding.com-http-mapping
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping
config.mapAuthRecord.type = regex
config.mapAuthRecord.regex.mustMatch = true
config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}${realm}

03.10.2016, 09:56, "Martin Perina" <mperina@redhat.com>:

> Ahh, so kerberos SSO works fine for API, but not for portals. Could you please share your Apache configuration with oVirt kerberos configuration? Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf