Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Received-SPF: pass (nike.apache.org: domain of lucas.ferreira@gmail.com
 designates 209.85.217.179 as permitted sender)
MIME-Version: 1.0
In-Reply-To: <49D13C6A.4070302@ice-sa.com>
References: <245770850903301203n389ba5eyb51916a85ee1d351@mail.gmail.com>
	<49D13C6A.4070302@ice-sa.com>
Date: Mon, 30 Mar 2009 18:56:33 -0300
Message-ID: <245770850903301456h4bec4f8an4d812399d4957f7b@mail.gmail.com>
From: Lucas Ferreira <listas@sapao.net>
To: users@httpd.apache.org, aw@ice-sa.com
Content-Type: multipart/alternative; boundary=00221532cf6cbabb2204665d28da
Subject: Re: [users@httpd] Apache reverse proxy and IIS integrated
	authentication

--00221532cf6cbabb2204665d28da
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hello Andr=E9,

thanks for the answer.

Besides using NTLM, is there any alternative? Would Kerberos work?

Thanks,

Lucas

On Mon, Mar 30, 2009 at 18:40, Andr=E9 Warnier <aw@ice-sa.com> wrote:

> Lucas Ferreira wrote:
>
>> Hello,
>>
>> I have a Microsoft IIS web server that uses integrated authentication:
>>
>> WWW-Authenticate: Negotiate
>> WWW-Authenticate: NTLM
>>
>> I would like to setup an Apache-based reverse proxy before this web site=
.
>> I
>> have the proxy configured and working for non-authenticated requests, bu=
t
>> every request that requires authentication fails with a "401 Unauthorize=
d"
>> message. If I remove the proxy, the authentication works fine.
>>
>> So, is it possible to forward integrated authentication using an Apache
>> reverse proxy? If yes, where can I find documentation on this?
>>
>>  This may be a problem because NTLM authentication is really
> connection-based (I mean not really per-request), and the connection whic=
h
> the browser has with your proxy, is not the same as the connection which =
the
> proxy sets up with the back-end server.  For example, it would be possibl=
e
> for the proxy to "pool" several client browser connections, over a single
> connection to the back-end server, and that would not allow NTLM to work
> properly.
>
> In a bit more details : NTLM authentication requires multiple exchanges
> between the authenticating server and the browser, and these exchanges mu=
st
> happen in a certain ordered sequence, on the same HTTP connection.
> So if two browsers (or even two windows in the same browser) each try to
> authenticate to the back-end server, but the proxy multiplexes these
> exchanges over a single connection to the back-end server, then from the
> back-end (IIS) server point of view, the steps are seen as mixed-up (out =
of
> sequence on that single connection), and it will not work properly.
>
> In summary, I think you are doomed, but I am willing to be proven wrong, =
as
> the subject is of interest to me also.
> Another good place to ask may be the jCIFS list at   >
> jcifs@lists.samba.org
>
> They are not Apache specialist there, but there are HTTP/NTLM specialists
> lurking there.
> Just be nice and ask your question in a general sense, not expecting them
> to be specifically Apache proxy gurus.
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project=
.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


--=20
If a tree falls in the forest and no one is around to see it, do the other
trees make fun of it?

--00221532cf6cbabb2204665d28da
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hello Andr=E9,<br><br>thanks for the answer.<br><br>Besides using NTLM, is =
there any alternative? Would Kerberos work?<br><br>Thanks,<br><font color=
=3D"#888888"><br>Lucas</font><br><br><div class=3D"gmail_quote">On Mon, Mar=
 30, 2009 at 18:40, Andr=E9 Warnier <span dir=3D"ltr">&lt;<a href=3D"mailto=
:aw@ice-sa.com">aw@ice-sa.com</a>&gt;</span> wrote:<br>

<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class=3D"im"=
>Lucas Ferreira wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hello,<br>
<br>
I have a Microsoft IIS web server that uses integrated authentication:<br>
<br>
WWW-Authenticate: Negotiate<br>
WWW-Authenticate: NTLM<br>
<br>
I would like to setup an Apache-based reverse proxy before this web site. I=
<br>
have the proxy configured and working for non-authenticated requests, but<b=
r>
every request that requires authentication fails with a &quot;401 Unauthori=
zed&quot;<br>
message. If I remove the proxy, the authentication works fine.<br>
<br>
So, is it possible to forward integrated authentication using an Apache<br>
reverse proxy? If yes, where can I find documentation on this?<br>
<br>
</blockquote></div>
This may be a problem because NTLM authentication is really connection-base=
d (I mean not really per-request), and the connection which the browser has=
 with your proxy, is not the same as the connection which the proxy sets up=
 with the back-end server. =A0For example, it would be possible for the pro=
xy to &quot;pool&quot; several client browser connections, over a single co=
nnection to the back-end server, and that would not allow NTLM to work prop=
erly.<br>


<br>
In a bit more details : NTLM authentication requires multiple exchanges bet=
ween the authenticating server and the browser, and these exchanges must ha=
ppen in a certain ordered sequence, on the same HTTP connection.<br>
So if two browsers (or even two windows in the same browser) each try to au=
thenticate to the back-end server, but the proxy multiplexes these exchange=
s over a single connection to the back-end server, then from the back-end (=
IIS) server point of view, the steps are seen as mixed-up (out of sequence =
on that single connection), and it will not work properly.<br>


<br>
In summary, I think you are doomed, but I am willing to be proven wrong, as=
 the subject is of interest to me also.<br>
Another good place to ask may be the jCIFS list at =A0 &gt; <a href=3D"mail=
to:jcifs@lists.samba.org" target=3D"_blank">jcifs@lists.samba.org</a><br>
<br>
They are not Apache specialist there, but there are HTTP/NTLM specialists l=
urking there.<br>
Just be nice and ask your question in a general sense, not expecting them t=
o be specifically Apache proxy gurus.<br>
<br>
<br>
<br>
<br>
---------------------------------------------------------------------<br>
The official User-To-User support forum of the Apache HTTP Server Project.<=
br>
See &lt;URL:<a href=3D"http://httpd.apache.org/userslist.html" target=3D"_b=
lank">http://httpd.apache.org/userslist.html</a>&gt; for more info.<br>
To unsubscribe, e-mail: <a href=3D"mailto:users-unsubscribe@httpd.apache.or=
g" target=3D"_blank">users-unsubscribe@httpd.apache.org</a><br>
 =A0&quot; =A0 from the digest: <a href=3D"mailto:users-digest-unsubscribe@=
httpd.apache.org" target=3D"_blank">users-digest-unsubscribe@httpd.apache.o=
rg</a><br>
For additional commands, e-mail: <a href=3D"mailto:users-help@httpd.apache.=
org" target=3D"_blank">users-help@httpd.apache.org</a><br>
<br>
</blockquote></div><br><br clear=3D"all"><br>-- <br>If a tree falls in the =
forest and no one is around to see it, do the other trees make fun of it? <=
br>

--00221532cf6cbabb2204665d28da--