httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lucas Ferreira <>
Subject Re: [users@httpd] Apache reverse proxy and IIS integrated authentication
Date Mon, 30 Mar 2009 21:56:33 GMT
Hello André,

thanks for the answer.

Besides using NTLM, is there any alternative? Would Kerberos work?



On Mon, Mar 30, 2009 at 18:40, André Warnier <> wrote:

> Lucas Ferreira wrote:
>> Hello,
>> I have a Microsoft IIS web server that uses integrated authentication:
>> WWW-Authenticate: Negotiate
>> WWW-Authenticate: NTLM
>> I would like to setup an Apache-based reverse proxy before this web site.
>> I
>> have the proxy configured and working for non-authenticated requests, but
>> every request that requires authentication fails with a "401 Unauthorized"
>> message. If I remove the proxy, the authentication works fine.
>> So, is it possible to forward integrated authentication using an Apache
>> reverse proxy? If yes, where can I find documentation on this?
>>  This may be a problem because NTLM authentication is really
> connection-based (I mean not really per-request), and the connection which
> the browser has with your proxy, is not the same as the connection which the
> proxy sets up with the back-end server.  For example, it would be possible
> for the proxy to "pool" several client browser connections, over a single
> connection to the back-end server, and that would not allow NTLM to work
> properly.
> In a bit more details : NTLM authentication requires multiple exchanges
> between the authenticating server and the browser, and these exchanges must
> happen in a certain ordered sequence, on the same HTTP connection.
> So if two browsers (or even two windows in the same browser) each try to
> authenticate to the back-end server, but the proxy multiplexes these
> exchanges over a single connection to the back-end server, then from the
> back-end (IIS) server point of view, the steps are seen as mixed-up (out of
> sequence on that single connection), and it will not work properly.
> In summary, I think you are doomed, but I am willing to be proven wrong, as
> the subject is of interest to me also.
> Another good place to ask may be the jCIFS list at   >
> They are not Apache specialist there, but there are HTTP/NTLM specialists
> lurking there.
> Just be nice and ask your question in a general sense, not expecting them
> to be specifically Apache proxy gurus.
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:> for more info.
> To unsubscribe, e-mail:
>  "   from the digest:
> For additional commands, e-mail:

If a tree falls in the forest and no one is around to see it, do the other
trees make fun of it?

View raw message