Jupyter notebook with optional lab - behind GSSAPI authentication proxy


I have a setup running jupyterhub 1.5.0 and would like to migrate the users from the classic notebook to lab - thus enabling them to move to lab for testing for a few months - then making it default.

The notebook is sitting behind an apache proxy that terminates SSL and GSSAPI (towards Active Directory). This genereally work very very well but when chaning the URL to /user//lab - the webbrower gets a 403 forbidden error code from the Jupyter server.

There seem to be something in the stack that causes lab to not work under external authentication - whereas the classic notebook does it well.


We did try to bump everything to most recent versions - but that fails in a different way.

Does anyone have a similar setup working ? (Integrated auth in Windows envionment, Jupyterhub - classic default + optional lab) - willing to share working configuration?

When I disable auth and just does a:

RequestHeader     set "Remote-User" JSKR

If i keep above - but enable auth -

AuthName "GSSAPI Single Sign On Login"
GssapiCredStore keytab:/etc/krb5.keytab
Require valid-user

Then notebook classic works - but moving to lab url fails.

My feeling is that the lab-version does someting that causes the authentication module to skip auth-headers going forward - thus not passing REMOTE_USER into the setup.