IPA Server Web UI multiple network access

Posted on

I'm attempting to figure out if it's possible to configure IPA's web UI in such a way that it can be accessed from both a private and a public network infrastructure.

I've installed IPA server (version 3.0.0) on a RHEL 6.7 host (ipa.dev.internal) and configured an IPA domain (dev.internal). Our client machines reside on a separate domain (dev.external) and network, which the IPA server is additionally connected to.

From hosts on the internal network (, I am able to access the IPA web UI without issue, as expected.

From hosts on the external network (, I was initially presented with a blank screen when attempting to access the web UI.

I attempted to disable the httpd rewrite rules located in /etc/httpd/conf.d/ipa-rewrite.conf and restarted the httpd server: this allowed me to see the login page, but immediately presented me with a web app error dialog.

Lastly, I attempted to modify the ipa-rewrite.conf, replacing all instances of the initial FQDN (ipa.dev.internal) with the public FQDN (ipa.dev.external): this allowed me to see the login page and even to successfully submit login credentials. However, upon entered valid login credentials I am immediately redirected back to the login page in an infinite redirect loop.

Are there any glaring oversights I'm making? I imagine that the problem ultimately lies with Kerberos (and possibly my external client's HTTP referrer), but admittedly I lack expertise in that area.

Any help in getting this issue solved would be greatly appreciated.