You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/05/29 14:47:21 UTC
DO NOT REPLY [Bug 39673] New: - mod_proxy opens connections that disturb NTLM
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39673>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39673
Summary: mod_proxy opens connections that disturb NTLM
Product: Apache httpd-2
Version: 2.2.0
Platform: Sun
OS/Version: Solaris
Status: NEW
Severity: normal
Priority: P2
Component: mod_proxy
AssignedTo: bugs@httpd.apache.org
ReportedBy: ob@dorrboel.com
The following configuration works fine with Apache 2.0 :
- client : IE + Windows XP
- Reverse Proxy : Apache 2.0 running on solaris 9
- IIS (Windows) server with NTLM authentication enabled
When a protected page (via ACL on the IIS server) is accessed by the
client, thanks to Windows integrated authentication, the page is
displayed with any user intervention (user identification prompt).
Since Apache 2.2, user receives an identification prompt and, although
the username/password he enters are correct, he is not authorized.
Looking at the network traffic, it seems that the NTLM authentication
process is made of 3 requests.
Between the client and the RP, they use a single connection (same
port).
Between the RP and the IIS server, they use a single connection if the
RP is running on Apache 2.0; however, with Apache 2.2, the 3 requests
use 3 different connections (3 ports), which make NTLM fail.
This problem is reproductible at will.
I tried the "ProxyPass keepalive=On" directive but it didn't help.
Is there a workaround?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39673] - mod_proxy opens connections that disturb NTLM
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39673>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39673
rpluem@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
------- Additional Comments From rpluem@apache.org 2006-05-29 19:41 -------
Have you tried upgrading to 2.2.2? Keepalive in the proxy does not work
correctly with 2.2.0.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39673] - mod_proxy opens connections that disturb NTLM
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39673>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39673
------- Additional Comments From rpluem@apache.org 2006-05-30 19:54 -------
*** Bug 39680 has been marked as a duplicate of this bug. ***
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39673] - mod_proxy opens connections that disturb NTLM
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39673>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39673
------- Additional Comments From peter.pearce@petrosa.co.za 2007-12-17 00:49 -------
"Indeed, Apache 2.2.2 brings some improvement :"
As does 2.2.4, however, it seems that 2.2.6 breaks it again. This was
immediately obvious after upgrade with no change in configs. (keepalives off)
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39673] - mod_proxy opens connections that disturb NTLM
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39673>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39673
------- Additional Comments From ob@dorrboel.com 2006-05-30 08:31 -------
Indeed, Apache 2.2.2 brings some improvement :
1. ProxyPass directive works fine (i.e. uses the same port for all
connections), even without the "keepalive=On" option
2. However, RewriteRule ^(.*)$ http://windows_server$1 [P,NE] still uses
different ports to communicate with the back-end Windows server although the
communication between the client and the RP uses the same port. In other words,
the Rewrite module, when used in conjunction with the Proxy module, "splits"
the communication on different ports, resulting in NTLM failure.
Thanks for your help!
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39673] - mod_proxy opens connections that disturb NTLM
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39673>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39673
------- Additional Comments From wrowe@apache.org 2006-05-30 20:43 -------
NTLM Auth by Microsoft violates HTTP/1.1 RFC's all of which defined the protocol
as stateless. It might behove us either to
1) provide a config directive to proxy-stateful and not recycle connections
to specific / pattern match of hosts, and/or
2) detect NTLM crap and mark the connection as non-recycleable.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39673] - mod_proxy opens connections that disturb NTLM
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39673>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39673
------- Additional Comments From ob@dorrboel.com 2006-05-30 08:28 -------
Indeed, Apache 2.2.2 brings some improvement :
1. ProxyPass directive works fine (i.e. uses the same port for all
connections), even without the "keepalive=On" option
2. However, RewriteRule ^(.*)$ http://windows_server$1 [P,NE] still uses
different ports to communicate with the back-end Windows server although the
communication between the client and the RP uses the same port. In other words,
the Rewrite module, when used in conjunction with the Proxy module, "splits"
the communication on different ports, resulting in NTLM failure.
Thanks for your help!
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39673] - mod_proxy opens connections that disturb NTLM
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39673>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39673
------- Additional Comments From rpluem@apache.org 2006-05-30 20:13 -------
Meanwhile I found some time to have a look how NTLM auth actually works. As a
result I found out that the current 2.2.x proxy implementation does NOT support
NTLM, because there is no guarantee that the same backend connection is used for
the next request on a keepalive frontend connection. Each request from a
frontend connection leases a backend connection from a connection pool for the
request and returns it back to the pool immediately after the request has been
processed. If the next request on this keepalive frontend connection is
processed it may lease a different backend connection from the pool. As far as I
understand NTLM this approach is not compatible with NTLM. I will send a follow
up on the dev list for further discussion.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org