Configuration of GssapiUseS4U2Proxy

[Norr]

Hi guys, I tried to use Kerberos for WebDAV authentication. I have my test environment:

1. AD Server - SAMBA
2. Apache Server (for Authentication)
3. Apache Server (for Authorization)
4. Ubuntu Desktop - as client

Everything works fine in scenario:

Environment

1. Apache server with Dav On and server name project-1-webdav.mydomain.internal
2. On the Domain Controller side I have been added user webdav and SPN with HTTP/project-1-webdav.mydomain.internal and keytab has been exported and sended to Apache Server [1] (samba documentation)
3. Configuration:

Alias /webdav /webdav
ServerName webdav.mydomain.internal
<VirtualHost *:443>
        ServerAlias *.mydomain.internal
        ServerName project-1-webdav.mydomain.internal
        DocumentRoot /webdav
        SSLEngine On
        SSLCertificateFile /etc/httpd/ssl/_wildcard.mydomain.internal.pem
        SSLCertificateKeyFile /etc/httpd/ssl/_wildcard.mydomain.internal-key.pem
#Logging

        ErrorLog /var/log/httpd/webdav/error_log
        CustomLog /var/log/httpd/webdav/access_log combined
        LogLevel debug
        <Directory /webdav>
                Dav On
########################## BASIC AUTH ####################################

                #AuthType Digest
                #AuthName webdav
                #AuthUserFile "/usr/share/httpd/user.passwd"
                #Require valid-user

########################### GSSAPI AUTH ###################################

                AuthType GSSAPI
                AuthName "Network Login"
                GssapiCredStore keytab:/etc/httpd/conf/httpd.keytab
                GssapiAllowedMech krb5
                GssapiBasicAuth Off
                GssapiLocalName On
                GssapiSSLonly On
                GssapiUseSessions On
                Require valid-user

######################### SHARED SETTINGS ###################################

                Options Indexes FollowSymLinks
                AllowOverride None
                DirectoryIndex disabled


        </Directory>

        <IfModule mod_session.c>
                Session on
        </IfModule>

        <IfModule mod_session_cookie.c>
                SessionCookieName gssapi_session path=/cookies_krb5;httponly;secure;
        </IfModule>

But my target environment will looks like this:

1. Multiple server instances with webdav, each of instance will has unique URL.
2. Only one account with only one SPN with delegation on Active Directory (Microsoft) side.
   I won't to be able to add SPN for each service (webdav server).

So I tried to configure similarly configuration on my test environment.
Now how to make SSO for each instance of webdav? I thought about something like this:

                                                   | ←-----→ 2. Apache (webdav1) ←---→ 1. Client 1
                                                   |
                                                   |        
4. Active Directory ←----→ 3. Apache (auth) ←----→ | ←-----→ 2. Apache (webdav2) ←---→ 1. Client 2
                                                   |
                                                   |
                                                   | ←-----→ 2. Apache (webdav3) ←---→ 1. Client 3

I tried to use GssapiUseS4U2Proxy without succeed. On my SAMBA side i have configured: UF_TRUSTED_FOR_DELEGATION, UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION, Services this account may delegate to: msDS-AllowedToDelegateTo: HTTP/auth-webdav.mydomain.internal.

I have doubts about:

1. Should I have kerberos server installed on Apache (auth) server or not?
2. In this scenario GssapiCredStore client_keytab: will be Client 1, Client 2, ... or Apache (webdav 1), Apache (webdav 2),...
3. How to create this client keytab?

All what I need is to make authorization and authentication via SSO for each of Apache WebDAV instance (with unique URL) using one SPN entry. If you need more information feel free to ask.