Re: PR 39673 revealed a problem with NTLM and mod_proxy

[Joost de Heer]

Ruediger Pluem wrote:

PR 39673 revealed a problem with NTLM and mod_proxy_http.
Actually NTLM does not work any longer with proxied backends doing NTLM 
authentication.


Microsoft themselves have said that NTLM authentication via a proxy probably 
won't work:


http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/reskit/iischp9.mspx

Integrated Windows authentication has the following limitations:

* It cannot be performed through a firewall via a proxy.

So I'm a bit surprised that it used to work.

Joost

PR 39673 revealed a problem with NTLM and mod_proxy

[Ruediger Pluem]

PR 39673 revealed a problem with NTLM and mod_proxy_http.
Actually NTLM does not work any longer with proxied backends doing NTLM 
authentication.

As far as I understand NTLM the current 2.2.x proxy implementation does NOT 
support
it, because there is no guarantee that the same backend connection is used for
the next request on a keepalive frontend connection. Each request from a
frontend connection leases a backend connection from a connection pool for the
request and returns it back to the pool immediately after the request has been
processed. When the next request on this keepalive frontend connection is
processed it may lease a different backend connection from the pool.

This raises two questions for me:

1. The current approach of leasing connections from the pool on request base 
means,
   that a keepalive  frontend connection may use a different backend connection 
for
   each request and that a keepalive backend connection may be used by 
different frontend
   connections. Does this approach violate any RFC's we claim to implement / 
support?

2. If the answer to 1. is no, the question that remains is: Do we claim / want 
to support
   NTLM on proxied backends. As far as I understand there is no official spec 
for NTLM, correct?


Regards

Rüdiger