You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Lucas Ferreira <lu...@gmail.com> on 2009/03/30 23:56:01 UTC
Re: [users@httpd] Apache reverse proxy and IIS integrated
authentication
Hello André,
thanks for the answer.
Besides using NTLM, is there any alternative? Would Kerberos work?
Thanks,
Lucas
On Mon, Mar 30, 2009 at 18:40, André Warnier <aw...@ice-sa.com> wrote:
> Lucas Ferreira wrote:
>
>> Hello,
>>
>> I have a Microsoft IIS web server that uses integrated authentication:
>>
>> WWW-Authenticate: Negotiate
>> WWW-Authenticate: NTLM
>>
>> I would like to setup an Apache-based reverse proxy before this web site.
>> I
>> have the proxy configured and working for non-authenticated requests, but
>> every request that requires authentication fails with a "401 Unauthorized"
>> message. If I remove the proxy, the authentication works fine.
>>
>> So, is it possible to forward integrated authentication using an Apache
>> reverse proxy? If yes, where can I find documentation on this?
>>
>> This may be a problem because NTLM authentication is really
> connection-based (I mean not really per-request), and the connection which
> the browser has with your proxy, is not the same as the connection which the
> proxy sets up with the back-end server. For example, it would be possible
> for the proxy to "pool" several client browser connections, over a single
> connection to the back-end server, and that would not allow NTLM to work
> properly.
>
> In a bit more details : NTLM authentication requires multiple exchanges
> between the authenticating server and the browser, and these exchanges must
> happen in a certain ordered sequence, on the same HTTP connection.
> So if two browsers (or even two windows in the same browser) each try to
> authenticate to the back-end server, but the proxy multiplexes these
> exchanges over a single connection to the back-end server, then from the
> back-end (IIS) server point of view, the steps are seen as mixed-up (out of
> sequence on that single connection), and it will not work properly.
>
> In summary, I think you are doomed, but I am willing to be proven wrong, as
> the subject is of interest to me also.
> Another good place to ask may be the jCIFS list at >
> jcifs@lists.samba.org
>
> They are not Apache specialist there, but there are HTTP/NTLM specialists
> lurking there.
> Just be nice and ask your question in a general sense, not expecting them
> to be specifically Apache proxy gurus.
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
If a tree falls in the forest and no one is around to see it, do the other
trees make fun of it?