When setting up Windows authentication with Apache's mod_auth_sspi and needing to forward the authenticated username to backend servers, many developers hit a snag with environment variable availability. The standard approach using %{REMOTE_USER}e often fails silently.
The configuration you've tried is technically correct for most authentication modules, but mod_auth_sspi handles environment variables differently. The variables aren't available at the request header processing stage by default.
# This won't work as expected with mod_auth_sspi:
RequestHeader set X-Remote-User "%{REMOTE_USER}e" env=REMOTE_USER
You need to force the variable to be available later in the request cycle. Here's the verified configuration that works with Windows authentication:
ProxyRequests off
ProxyPass /clsoap/ http://127.0.0.1:12001/clsoap/
<Location /clsoap/>
ProxyPassReverse /clsoap/
AuthName "ADTest"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain primary.example.com
SSPIUsernameCase lower
SSPIOfferBasic Off
Require valid-user
# Critical modifications:
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set X-Remote-User "%{RU}e" env=RU
</Location>
The magic happens through these mechanisms:
LA-U:Look-ahead for URI-time variable resolution- The rewrite rule captures and stores the username
- We reference the stored value in the header
If the rewrite method doesn't suit your environment, consider these options:
# Option 1: Use mod_headers with late variable evaluation
RequestHeader set X-Remote-User expr=%{REMOTE_USER}
# Option 2: Environment variable pass-through
SetEnvIf REMOTE_USER (.+) RU=$1
RequestHeader set X-Remote-User "%{RU}e" env=RU
After implementing the solution, verify with:
curl -v --negotiate -u : http://yourserver/clsoap/
Check for the X-Remote-User header in either the server logs or backend application logs.
If you still don't see the header:
- Ensure mod_rewrite is loaded (
LoadModule rewrite_module modules/mod_rewrite.so) - Check Apache error logs for header module warnings
- Verify SSPI authentication is actually occurring (temporarily remove the Proxy directives)
When integrating Windows authentication with backend services through Apache, passing the authenticated username becomes crucial for maintaining security context. The standard approach using REMOTE_USER environment variable often fails with mod_auth_sspi configurations.
The configuration you're using attempts to access environment variables that aren't populated by mod_auth_sspi:
RequestHeader set X-Remote-User "%{REMOTE_USER}e" env=REMOTE_USER
RequestHeader set X-Auth-User "%{AUTH_USER}e" env=AUTH_USER
mod_auth_sspi handles authentication differently than basic auth modules, requiring special variable references.
This modified configuration correctly captures the authenticated user:
ProxyRequests off
ProxyPass /clsoap/ http://127.0.0.1:12001/clsoap/
<Location /clsoap/>
ProxyPassReverse /clsoap/
AuthName "ADTest"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain primary.example.com
SSPIUsernameCase lower
SSPIOfferBasic Off
Require valid-user
# Correct variable reference for mod_auth_sspi
RequestHeader set X-Remote-User expr=%{REMOTE_USER}
RequestHeader unset X-Remote-User early
RequestHeader set X-Remote-User %{REMOTE_USER}s
</Location>
- Using
%{REMOTE_USER}sinstead of%{REMOTE_USER}eaccesses server variables - The
expr=syntax enables expression parsing - Early unset ensures no stale values persist
For environments needing additional processing:
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set X-Remote-User "%{RU}e"
Add these directives to verify authentication:
LogLevel debug
ErrorLog logs/sspi_error.log
CustomLog logs/sspi_access.log "%h %l %u %t \"%r\" %>s %b"