Re: Apache reverse proxy and IIS integrated authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello André,

thanks for the answer.

Besides using NTLM, is there any alternative? Would Kerberos work?

Thanks,

Lucas


On Mon, Mar 30, 2009 at 18:40, André Warnier <aw@xxxxxxxxxx> wrote:
Lucas Ferreira wrote:
Hello,

I have a Microsoft IIS web server that uses integrated authentication:

WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM

I would like to setup an Apache-based reverse proxy before this web site. I
have the proxy configured and working for non-authenticated requests, but
every request that requires authentication fails with a "401 Unauthorized"
message. If I remove the proxy, the authentication works fine.

So, is it possible to forward integrated authentication using an Apache
reverse proxy? If yes, where can I find documentation on this?

This may be a problem because NTLM authentication is really connection-based (I mean not really per-request), and the connection which the browser has with your proxy, is not the same as the connection which the proxy sets up with the back-end server.  For example, it would be possible for the proxy to "pool" several client browser connections, over a single connection to the back-end server, and that would not allow NTLM to work properly.

In a bit more details : NTLM authentication requires multiple exchanges between the authenticating server and the browser, and these exchanges must happen in a certain ordered sequence, on the same HTTP connection.
So if two browsers (or even two windows in the same browser) each try to authenticate to the back-end server, but the proxy multiplexes these exchanges over a single connection to the back-end server, then from the back-end (IIS) server point of view, the steps are seen as mixed-up (out of sequence on that single connection), and it will not work properly.

In summary, I think you are doomed, but I am willing to be proven wrong, as the subject is of interest to me also.
Another good place to ask may be the jCIFS list at   > jcifs@xxxxxxxxxxxxxxx

They are not Apache specialist there, but there are HTTP/NTLM specialists lurking there.
Just be nice and ask your question in a general sense, not expecting them to be specifically Apache proxy gurus.




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




--
If a tree falls in the forest and no one is around to see it, do the other trees make fun of it?

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux