We are wanting the ability to provide seamless single-sign-on into our web application. Our users are all using a modern version of IE and they will be accessing our website locally within an intranet, they will all be logged into Windows with AD accounts.
It seems that we can use integrated windows authentication to have the browser pass through the credentials, so this side looks fine.
But on the server side we have Apache 2.2 (hosted on Windows Server 2008+) with CherryPy sitting behind it - we use Rewrite rules to pass requests into CherryPy.
I have managed to find a windows compiled version of mod_spnego for Apache 2.2 (https://github.com/ibauersachs/mod_spnego) and I believe I have this configured in some way to authenticate the clients using their AD credentials.
However, we need to get these users details through to CherryPy somehow as we need to obtain further AD details over LDAP to apply permissions in our application (something that we already do but with simple username/password authentication first). This is where I have hit a dead end as I can't seem to find a way to do this.
I've seen various talk about the REMOTE_USER environment variable and suggestions for setting an extended header with the information we need in Apache but none of this seems to work.
Could anyone help me understand how to go about this? Apologies if I've not described everything correctly above, as I say I am new to Kerberos/SPNEGO and may be missing something obvious, or trying to overcomplicate things, potentially.