Apache reverse proxy and IIS integrated authentication
Apache reverse proxy and IIS integrated authentication
am 30.03.2009 21:03:29 von Lucas Ferreira
--002215046c6fcbb66404665abde4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Hello,
I have a Microsoft IIS web server that uses integrated authentication:
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
I would like to setup an Apache-based reverse proxy before this web site. I
have the proxy configured and working for non-authenticated requests, but
every request that requires authentication fails with a "401 Unauthorized"
message. If I remove the proxy, the authentication works fine.
So, is it possible to forward integrated authentication using an Apache
reverse proxy? If yes, where can I find documentation on this?
Thanks a lot,
Lucas
--
If a tree falls in the forest and no one is around to see it, do the other
trees make fun of it?
--002215046c6fcbb66404665abde4
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Hello,
I have a Microsoft IIS web server that uses integrated authen=
tication:
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
<=
br>I would like to setup an Apache-based reverse proxy before this web site=
.. I have the proxy configured and working for non-authenticated requests, b=
ut every request that requires authentication fails with a "401 Unauth=
orized" message. If I remove the proxy, the authentication works fine.=
So, is it possible to forward integrated authentication using an Apache=
reverse proxy? If yes, where can I find documentation on this?
Than=
ks a lot,
Lucas
--
If a tree falls in the f=
orest and no one is around to see it, do the other trees make fun of it?
r>
--002215046c6fcbb66404665abde4--
Re: Apache reverse proxy and IIS integrated authentication
am 30.03.2009 23:40:58 von aw
Lucas Ferreira wrote:
> Hello,
>
> I have a Microsoft IIS web server that uses integrated authentication:
>
> WWW-Authenticate: Negotiate
> WWW-Authenticate: NTLM
>
> I would like to setup an Apache-based reverse proxy before this web site. I
> have the proxy configured and working for non-authenticated requests, but
> every request that requires authentication fails with a "401 Unauthorized"
> message. If I remove the proxy, the authentication works fine.
>
> So, is it possible to forward integrated authentication using an Apache
> reverse proxy? If yes, where can I find documentation on this?
>
This may be a problem because NTLM authentication is really
connection-based (I mean not really per-request), and the connection
which the browser has with your proxy, is not the same as the connection
which the proxy sets up with the back-end server. For example, it would
be possible for the proxy to "pool" several client browser connections,
over a single connection to the back-end server, and that would not
allow NTLM to work properly.
In a bit more details : NTLM authentication requires multiple exchanges
between the authenticating server and the browser, and these exchanges
must happen in a certain ordered sequence, on the same HTTP connection.
So if two browsers (or even two windows in the same browser) each try to
authenticate to the back-end server, but the proxy multiplexes these
exchanges over a single connection to the back-end server, then from the
back-end (IIS) server point of view, the steps are seen as mixed-up (out
of sequence on that single connection), and it will not work properly.
In summary, I think you are doomed, but I am willing to be proven wrong,
as the subject is of interest to me also.
Another good place to ask may be the jCIFS list at > jcifs@lists.samba.org
They are not Apache specialist there, but there are HTTP/NTLM
specialists lurking there.
Just be nice and ask your question in a general sense, not expecting
them to be specifically Apache proxy gurus.
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache reverse proxy and IIS integrated
am 30.03.2009 23:56:01 von Lucas Ferreira
--00221532cf6cd2f03b04665d26fc
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Hello Andr=E9,
thanks for the answer.
Besides using NTLM, is there any alternative? Would Kerberos work?
Thanks,
Lucas
On Mon, Mar 30, 2009 at 18:40, Andr=E9 Warnier wrote:
> Lucas Ferreira wrote:
>
>> Hello,
>>
>> I have a Microsoft IIS web server that uses integrated authentication:
>>
>> WWW-Authenticate: Negotiate
>> WWW-Authenticate: NTLM
>>
>> I would like to setup an Apache-based reverse proxy before this web site=
..
>> I
>> have the proxy configured and working for non-authenticated requests, bu=
t
>> every request that requires authentication fails with a "401 Unauthorize=
d"
>> message. If I remove the proxy, the authentication works fine.
>>
>> So, is it possible to forward integrated authentication using an Apache
>> reverse proxy? If yes, where can I find documentation on this?
>>
>> This may be a problem because NTLM authentication is really
> connection-based (I mean not really per-request), and the connection whic=
h
> the browser has with your proxy, is not the same as the connection which =
the
> proxy sets up with the back-end server. For example, it would be possibl=
e
> for the proxy to "pool" several client browser connections, over a single
> connection to the back-end server, and that would not allow NTLM to work
> properly.
>
> In a bit more details : NTLM authentication requires multiple exchanges
> between the authenticating server and the browser, and these exchanges mu=
st
> happen in a certain ordered sequence, on the same HTTP connection.
> So if two browsers (or even two windows in the same browser) each try to
> authenticate to the back-end server, but the proxy multiplexes these
> exchanges over a single connection to the back-end server, then from the
> back-end (IIS) server point of view, the steps are seen as mixed-up (out =
of
> sequence on that single connection), and it will not work properly.
>
> In summary, I think you are doomed, but I am willing to be proven wrong, =
as
> the subject is of interest to me also.
> Another good place to ask may be the jCIFS list at >
> jcifs@lists.samba.org
>
> They are not Apache specialist there, but there are HTTP/NTLM specialists
> lurking there.
> Just be nice and ask your question in a general sense, not expecting them
> to be specifically Apache proxy gurus.
>
>
>
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project=
..
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--=20
If a tree falls in the forest and no one is around to see it, do the other
trees make fun of it?
--00221532cf6cd2f03b04665d26fc
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Hello Andr=E9,
thanks for the answer.
Besides using NTLM, is =
there any alternative? Would Kerberos work?
Thanks,
Lucas
=
On Mon, Mar 30, 2009 at 18:40, Andr=E9 Warni=
er
<=
> wrote:
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
>Lucas Ferreira wrote:
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hello,
I have a Microsoft IIS web server that uses integrated authentication:
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
I would like to setup an Apache-based reverse proxy before this web site. I=
have the proxy configured and working for non-authenticated requests, but
r>
every request that requires authentication fails with a "401 Unauthori=
zed"
message. If I remove the proxy, the authentication works fine.
So, is it possible to forward integrated authentication using an Apache
reverse proxy? If yes, where can I find documentation on this?
This may be a problem because NTLM authentication is really connection-base=
d (I mean not really per-request), and the connection which the browser has=
with your proxy, is not the same as the connection which the proxy sets up=
with the back-end server. =A0For example, it would be possible for the pro=
xy to "pool" several client browser connections, over a single co=
nnection to the back-end server, and that would not allow NTLM to work prop=
erly.
In a bit more details : NTLM authentication requires multiple exchanges bet=
ween the authenticating server and the browser, and these exchanges must ha=
ppen in a certain ordered sequence, on the same HTTP connection.
So if two browsers (or even two windows in the same browser) each try to au=
thenticate to the back-end server, but the proxy multiplexes these exchange=
s over a single connection to the back-end server, then from the back-end (=
IIS) server point of view, the steps are seen as mixed-up (out of sequence =
on that single connection), and it will not work properly.
In summary, I think you are doomed, but I am willing to be proven wrong, as=
the subject is of interest to me also.
Another good place to ask may be the jCIFS list at =A0 >
to:jcifs@lists.samba.org" target=3D"_blank">jcifs@lists.samba.org
They are not Apache specialist there, but there are HTTP/NTLM specialists l=
urking there.
Just be nice and ask your question in a general sense, not expecting them t=
o be specifically Apache proxy gurus.
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.<=
br>
See <URL:
lank">http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail:
g" target=3D"_blank">users-unsubscribe@httpd.apache.org
=A0" =A0 from the digest:
httpd.apache.org" target=3D"_blank">users-digest-unsubscribe@httpd.apache.o=
rg
For additional commands, e-mail:
org" target=3D"_blank">users-help@httpd.apache.org
--
If a tree falls in the =
forest and no one is around to see it, do the other trees make fun of it? <=
br>
--00221532cf6cd2f03b04665d26fc--
Re: Apache reverse proxy and IIS integrated
am 30.03.2009 23:56:33 von Lucas Ferreira
--00221532cf6cbabb2204665d28da
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Hello Andr=E9,
thanks for the answer.
Besides using NTLM, is there any alternative? Would Kerberos work?
Thanks,
Lucas
On Mon, Mar 30, 2009 at 18:40, Andr=E9 Warnier wrote:
> Lucas Ferreira wrote:
>
>> Hello,
>>
>> I have a Microsoft IIS web server that uses integrated authentication:
>>
>> WWW-Authenticate: Negotiate
>> WWW-Authenticate: NTLM
>>
>> I would like to setup an Apache-based reverse proxy before this web site=
..
>> I
>> have the proxy configured and working for non-authenticated requests, bu=
t
>> every request that requires authentication fails with a "401 Unauthorize=
d"
>> message. If I remove the proxy, the authentication works fine.
>>
>> So, is it possible to forward integrated authentication using an Apache
>> reverse proxy? If yes, where can I find documentation on this?
>>
>> This may be a problem because NTLM authentication is really
> connection-based (I mean not really per-request), and the connection whic=
h
> the browser has with your proxy, is not the same as the connection which =
the
> proxy sets up with the back-end server. For example, it would be possibl=
e
> for the proxy to "pool" several client browser connections, over a single
> connection to the back-end server, and that would not allow NTLM to work
> properly.
>
> In a bit more details : NTLM authentication requires multiple exchanges
> between the authenticating server and the browser, and these exchanges mu=
st
> happen in a certain ordered sequence, on the same HTTP connection.
> So if two browsers (or even two windows in the same browser) each try to
> authenticate to the back-end server, but the proxy multiplexes these
> exchanges over a single connection to the back-end server, then from the
> back-end (IIS) server point of view, the steps are seen as mixed-up (out =
of
> sequence on that single connection), and it will not work properly.
>
> In summary, I think you are doomed, but I am willing to be proven wrong, =
as
> the subject is of interest to me also.
> Another good place to ask may be the jCIFS list at >
> jcifs@lists.samba.org
>
> They are not Apache specialist there, but there are HTTP/NTLM specialists
> lurking there.
> Just be nice and ask your question in a general sense, not expecting them
> to be specifically Apache proxy gurus.
>
>
>
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project=
..
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--=20
If a tree falls in the forest and no one is around to see it, do the other
trees make fun of it?
--00221532cf6cbabb2204665d28da
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Hello Andr=E9,
thanks for the answer.
Besides using NTLM, is =
there any alternative? Would Kerberos work?
Thanks,
=3D"#888888">
Lucas
On Mon, Mar=
30, 2009 at 18:40, Andr=E9 Warnier
<
:aw@ice-sa.com">aw@ice-sa.com> wrote:
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
>Lucas Ferreira wrote:
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hello,
I have a Microsoft IIS web server that uses integrated authentication:
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
I would like to setup an Apache-based reverse proxy before this web site. I=
have the proxy configured and working for non-authenticated requests, but
r>
every request that requires authentication fails with a "401 Unauthori=
zed"
message. If I remove the proxy, the authentication works fine.
So, is it possible to forward integrated authentication using an Apache
reverse proxy? If yes, where can I find documentation on this?
This may be a problem because NTLM authentication is really connection-base=
d (I mean not really per-request), and the connection which the browser has=
with your proxy, is not the same as the connection which the proxy sets up=
with the back-end server. =A0For example, it would be possible for the pro=
xy to "pool" several client browser connections, over a single co=
nnection to the back-end server, and that would not allow NTLM to work prop=
erly.
In a bit more details : NTLM authentication requires multiple exchanges bet=
ween the authenticating server and the browser, and these exchanges must ha=
ppen in a certain ordered sequence, on the same HTTP connection.
So if two browsers (or even two windows in the same browser) each try to au=
thenticate to the back-end server, but the proxy multiplexes these exchange=
s over a single connection to the back-end server, then from the back-end (=
IIS) server point of view, the steps are seen as mixed-up (out of sequence =
on that single connection), and it will not work properly.
In summary, I think you are doomed, but I am willing to be proven wrong, as=
the subject is of interest to me also.
Another good place to ask may be the jCIFS list at =A0 >
to:jcifs@lists.samba.org" target=3D"_blank">jcifs@lists.samba.org
They are not Apache specialist there, but there are HTTP/NTLM specialists l=
urking there.
Just be nice and ask your question in a general sense, not expecting them t=
o be specifically Apache proxy gurus.
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.<=
br>
See <URL:
lank">http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail:
g" target=3D"_blank">users-unsubscribe@httpd.apache.org
=A0" =A0 from the digest:
httpd.apache.org" target=3D"_blank">users-digest-unsubscribe@httpd.apache.o=
rg
For additional commands, e-mail:
org" target=3D"_blank">users-help@httpd.apache.org
--
If a tree falls in the =
forest and no one is around to see it, do the other trees make fun of it? <=
br>
--00221532cf6cbabb2204665d28da--