How to hand over remote_user through reverse proxy with mod_rewriteand mod_auth_kerb

Hi,

I run a reverse proxy with mod_rewrite and authenticate users with
mod_auth_kerb.
Now I not only want to authenticate the user on the reverse proxy front
end but to authorize the user with software installed on the
hiddenserver. I try the following configuration to hand over the
authenticated user id as header HTTP_MY_USER to the hiddenserver behind
the revere proxy:

# authenticate Kerberos user
<Location />
AuthType Kerberos
…
require valid-user
</Location>

# put REMOTE_USER in Environment,
# mod_rewrite comes before authentication, so use subrequest
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule /.* - [E=USER_IN_ENV:%1]

# Set my authorization header
RequestHeader set MY_USER %{USER_IN_ENV}e

# rewrite authenticated requests to the back end (reverse proxy
configuration)
RewriteRule ^/(.*) http://hiddenserver/$1 [P]


My problem is:
mod_auth_kerb succeeds authenticating the sub request done with “LA-U”.
But fails to authenticate the real request, because the real request
uses the identical authentication request params and Kerberos rejects it
as a replay of the sub request:

> gss_accept_sec_context() failed: Miscellaneous failure (Request is a
replay)

Without the “LA-U” the access to the hiddenserver succeeds - transparent
access only for Kerberos authenticated users – but the hiddenserver has
no info about the user:

HTTP_MY_USER = “(null)”

Dose anyone have an idea how I could manage this, by only authenticating
the sub request or anything like that.

Thanks,
Tobias Walter