Advise for NTLM-Auth
mdounin at mdounin.ru
Tue Apr 19 01:24:55 UTC 2016
On Mon, Apr 18, 2016 at 02:28:19PM -0700, Payam Chychi wrote:
> >Maxim Dounin:
> >>Just a side note: NTLM auth is broken by design and violates HTTP
> >>basic rules. Avoid using it if you can.
> >to be clear: I don't care if it's named NTLM or ugly_voodoo
> >The goal is a nginx accesses by a IE/edge browser. Users should not be
> >bothered with authentication
> >as they are already logged on into the windows account.
> Im not sure what you do not understand from the reply, NTLM auth is broken.
> This is not about "lets call it Voodoo_melt" and make it work, Windows
> utilizes NTLM, so... what you are trying to use will not work. why? because
> NGINX NTLM does not work.
No, you didn't get it. NTLM http auth itself, as "defined" by
RFC 4559, is broken by design, and it has nothing to do with nginx.
In anything more complex than "a server and directly connected
clients" it's expected to require various NTLM-specific hacks,
quirks, and so on. Because NTLM tries to authenticate connections
instead of requests, thus breaking basic HTTP principles.
The above, actually, is explicitly said in RFC 4559 Errata, see
And that's why I don't recommend using it if possible. Regardless
of support in particular software.
More information about the nginx