Hello André, thanks for the answer.
Besides using NTLM, is there any alternative? Would Kerberos work? Thanks, Lucas On Mon, Mar 30, 2009 at 18:40, André Warnier <[email protected]> wrote: > Lucas Ferreira wrote: > >> Hello, >> >> I have a Microsoft IIS web server that uses integrated authentication: >> >> WWW-Authenticate: Negotiate >> WWW-Authenticate: NTLM >> >> I would like to setup an Apache-based reverse proxy before this web site. >> I >> have the proxy configured and working for non-authenticated requests, but >> every request that requires authentication fails with a "401 Unauthorized" >> message. If I remove the proxy, the authentication works fine. >> >> So, is it possible to forward integrated authentication using an Apache >> reverse proxy? If yes, where can I find documentation on this? >> >> This may be a problem because NTLM authentication is really > connection-based (I mean not really per-request), and the connection which > the browser has with your proxy, is not the same as the connection which the > proxy sets up with the back-end server. For example, it would be possible > for the proxy to "pool" several client browser connections, over a single > connection to the back-end server, and that would not allow NTLM to work > properly. > > In a bit more details : NTLM authentication requires multiple exchanges > between the authenticating server and the browser, and these exchanges must > happen in a certain ordered sequence, on the same HTTP connection. > So if two browsers (or even two windows in the same browser) each try to > authenticate to the back-end server, but the proxy multiplexes these > exchanges over a single connection to the back-end server, then from the > back-end (IIS) server point of view, the steps are seen as mixed-up (out of > sequence on that single connection), and it will not work properly. > > In summary, I think you are doomed, but I am willing to be proven wrong, as > the subject is of interest to me also. > Another good place to ask may be the jCIFS list at > > [email protected] > > They are not Apache specialist there, but there are HTTP/NTLM specialists > lurking there. > Just be nice and ask your question in a general sense, not expecting them > to be specifically Apache proxy gurus. > > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [email protected] > " from the digest: [email protected] > For additional commands, e-mail: [email protected] > > -- If a tree falls in the forest and no one is around to see it, do the other trees make fun of it?
