SSO Active Directory Kerberos Apache Ubuntu

[Gino Pino <uffa14@xxxxxxxxx>]

Hello,
I'm tryng to setup SSO from an AD client towards apache 2.4 on ubuntu 20.4LTS.

this is the enviroment:
XXX.LOCAL is de Active directory domain

zzz.it is the internet domain (with ssl wildcard certificate)

dc1.xxx.local 172.16.3.18 is the Windows DC server, and the internal DNS server

intranet.xxx.local 172.16.3.245 is the ubuntu server,

In the DNS server there are 2 A records  

intranet.zzz.it   172.16.3.245 (in the forward search zone zzz.it)
intranet.xxx.local 172.16.3.245 (in the forward search zone xx.it)

and the relative PTR in the reverse zones  

That's because i'd like to use https connection with the ssl cerfificate for the *.zzz.it domain.

Following a tutorial on   https://sites.google.com/site/mrxpalmeiras/kerberos-sso-configuration, i  
(and after various searches and attempts) I took the following steps:

1) Setup /etc/krb5.conf on target server
file /etc$  krb5.conf
[logging]
default = FILE:/var/log/apache2/log.krb5default
admin_server = FILE:/var/log/apache2/log.krb5admin

[libdefaults]
default_realm = XXX.LOCAL

[realms]
XXX.LOCAL = {
kdc = dc1.xxx.local
admin_server = dc1.xxx.local
}

[domain_realm]
intranet.zzz.it = XXX.LOCAL
.zzz.it = XXX.LOCAL


 2)Create a service principal in Active Directory and a keytab for apache authentication
 sudo msktutil --create --use-service-account --user-creds-only
 --service HTTP -s HTTP/intranet.zzz.it
 --keytab ./kerberos2.keytab
 --account-name kerberosintranet
 --hostname intranet.xxx.local
 --base 'OU=-Users' --no-pac --dont-expire-password --verbose

3)Setup the Apache web server on target server

<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile      /etc/ssl/certs/STAR_zzz_it.crt
        SSLCertificateKeyFile   /etc/ssl/certs/wildcard2022.zzz.it.key
        SSLCertificateChainFile /etc/ssl/certs/STAR_zz_it.ca-bundle
        ServerAdmin admin@xxxxxxxx
        ServerName intranet.zzz.it
        DocumentRoot /dati/intranet

        Options +FollowSymLinks -Indexes

        CustomLog  ${APACHE_LOG_DIR}/https443_access.log combined
        LogLevel debug
        ErrorLog  ${APACHE_LOG_DIR}/https443_error.log

        Alias /topsecret/ "/dati/segreto/"

       <Directory "/dati/segreto/">
             Options FollowSymLinks
             AllowOverride None
             AuthType  Kerberos
             KrbAuthRealms XXX.LOCAL
             KrbServiceName HTTP
             Krb5Keytab /etc/winkerberos.keytab
             KrbMethodNegotiate on
             KrbMethodK5Passwd on
             require valid-user
       </Directory>
</VirtualHost>

4) Configure the user browser for automatic logon
i have skipped this stap to have pop up asking for user & password.

Now when i try to open https://zzz.it/topsecret/info.php (the only page in the folder)
I got the popup for credential, but cannot login!!

this is the error.log when i try to open the page: (stripped out date-time and pid for readability)
[ssl:info]  [client 172.16.0.222:12068] AH01964: Connection to child 4 established (server intranet.zzz.rn.it:443)
[ssl:debug]  ssl_engine_kernel.c(2372): [client 172.16.0.222:12068] AH02043: SSL virtual host for servername intranet.zzz.rn.it found
[ssl:debug]  ssl_engine_kernel.c(2372): [client 172.16.0.222:12068] AH02043: SSL virtual host for servername intranet.zzz.rn.it found
[core:debug]  protocol.c(2428): [client 172.16.0.222:12068] AH03155: select protocol from , choices=h2,http/1.1 for server intranet.zzz.rn.it
[ssl:debug]  ssl_engine_kernel.c(2254): [client 172.16.0.222:12068] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_128_GCM_SHA256 (128/128 bits)
[ssl:debug]  ssl_engine_kernel.c(415): [client 172.16.0.222:12068] AH02034: Initial (No.1) HTTPS request received for child 4 (server intranet.zzz.rn.it:443)
[authz_core:debug]  mod_authz_core.c(817): [client 172.16.0.222:12068] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[authz_core:debug]  mod_authz_core.c(817): [client 172.16.0.222:12068] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[auth_kerb:debug]  src/mod_auth_kerb.c(1963): [client 172.16.0.222:12068] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[ssl:debug]  ssl_engine_kernel.c(415): [client 172.16.0.222:12068] AH02034: Subsequent (No.2) HTTPS request received for child 4 (server intranet.zzz.rn.it:443)
[authz_core:debug]  mod_authz_core.c(817): [client 172.16.0.222:12068] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[authz_core:debug]  mod_authz_core.c(817): [client 172.16.0.222:12068] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[auth_kerb:debug]  src/mod_auth_kerb.c(1963): [client 172.16.0.222:12068] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[auth_kerb:debug]  src/mod_auth_kerb.c(1046): [client 172.16.0.222:12068] Using HTTP/intranet.zzz.rn.it@XXX.LOCAL as server principal for password verification
[auth_kerb:debug]  src/mod_auth_kerb.c(752): [client 172.16.0.222:12068] Trying to get TGT for user cedtm@XXX.LOCAL
[auth_kerb:debug]  src/mod_auth_kerb.c(662): [client 172.16.0.222:12068] Trying to verify authenticity of KDC using principal HTTP/intranet.zzz.rn.it@XXX.LOCAL
[auth_kerb:debug]  src/mod_auth_kerb.c(705): [client 172.16.0.222:12068] krb5_rd_req() failed when verifying KDC
[auth_kerb:error]  [client 172.16.0.222:12068] failed to verify krb5 credentials: Service key not available
[auth_kerb:debug]  src/mod_auth_kerb.c(1128): [client 172.16.0.222:12068] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL)
 
I missing something, after a week of test and search i didn't came out, so hope someone can help me!
Thank's
Marco