Wir habe den Login so gelöst: Vielleicht hilft es.
[OMDHOST]# cat /opt/omd/sites/SITENAME/etc/apache/conf.dsite.conf
# General configuration for this site
#
LoadModule auth_gssapi_module /usr/lib64/httpd/modules/mod_auth_gssapi.so
LoadModule session_module /usr/lib64/httpd/modules/mod_session.so
LoadModule session_cookie_module /usr/lib64/httpd/modules/mod_session_cookie.so
<Location "/SITENAME">
# put your extra site configs here
LogLevel Warn
# LogLevel Warn auth_gssapi_module:trace6 authz_core:trace6 session_module:trace6 session_cookie_module:trace6
## ---BEGIN--- KERBEROS - Authentication via mod_auth_gssapi
AuthType GSSAPI
AuthName "SITENAME SSO"
GssapiBasicAuth On
GssapiAllowedMech krb5
# GssapiAllowedMech ntlmssp
GssapiBasicAuthMech krb5
# GssapiNegotiateOnce On
# GssapiImpersonate Off
GssapiCredStore keytab:/etc/httpd/ssl/SPNSITE.keytab
GssapiCredStore client_keytab:/etc/httpd/ssl/SPNSITE.keytab
# Constraint Delegation
GssapiUseS4U2Proxy On
GssapiDelegCcacheDir /opt/omd/sites/SITENAME/var/tmp/
GssapiDelegCcacheUnique On
# ausgeschalten da zum lokalen Backend auf 127.0.0.1 http gesprochen wird und dort erst authentifiziert wird
GssapiSSLonly Off
GssapiLocalName On
GssapiConnectionBound On
GssapiSignalPersistentAuth On
# use cookies with mod_session to avoid constant and costly re-authentication attempts
GssapiUseSessions On
Session On
SessionCookieName gssapi_session path=/;httponly;secure;
# SessionMaxAge 1800
#echo -n "Das ist irgendein kurzer Text." | openssl enc -e -a
GssapiSessionKey key:RGFzIGlzdCBpcmdlbmRlaW4ga3VyemVyIFRleHQu
## ---END----- KERBEROS - Authentication
Require valid-user
</Location>