basic understandig about kerberos sso in apache

I'm trying to configure kerberos sso in apache at the moment. On the test server the website sub.internal.local workes quite well in reference to the kerb sso. When I try to adopt the config to another apache server, which is opend via sub.external.com I only get a log in dialogue.

So just for my understanding, what do I need to change in the krb5.conf file or the generating of the *.keytab file?

internal.local is our internal active directory domain;

external.com is our default webaddress from the outside, which also works internally because of an internal DNS-lookup zone;

You have not explained that you went through the basic setup for SPNEGO here, so I'll assume you didn't.

• Did you create a principal for HTTP/sub.external.com in the KDC?
• Are you able to obtain a service ticket for HTTP/sub.external.com using either MIT's kvno or Windows klist?
• Did you update the keytab on the webserver with the extra principal's keys?
• Have you used a tool like curl to run the SPNEGO auth and read the logs?
• Did you configure the browser to allow SPNEGO at *.external.com (or whatever domain whitelist is appropriate)?
• Have you confirmed that the browser does actually perform a Kerberos exchange by readings its logs or at least checking if a ticket for the HTTP principal is fetched?
• Have you read the server side logs?