Advise for NTLM-Auth

Maxim Dounin mdounin at
Tue Apr 19 01:24:55 UTC 2016


On Mon, Apr 18, 2016 at 02:28:19PM -0700, Payam Chychi wrote:

> >Maxim Dounin:
> >
> >>Just a side note: NTLM auth is broken by design and violates HTTP
> >>basic rules.  Avoid using it if you can.
> >
> >to be clear: I don't care if it's named NTLM or ugly_voodoo
> >
> >The goal is a nginx accesses by a IE/edge browser. Users should not be
> >bothered with authentication
> >as they are already logged on into the windows account.
> >
> >possible?
> >
> Im not sure what you do not understand from the reply, NTLM auth is broken.
> This is not about "lets call it Voodoo_melt" and make it work, Windows
> utilizes NTLM, so... what you are trying to use will not work. why? because
> NGINX NTLM does not work.

No, you didn't get it.  NTLM http auth itself, as "defined" by 
RFC 4559, is broken by design, and it has nothing to do with nginx.  
In anything more complex than "a server and directly connected 
clients" it's expected to require various NTLM-specific hacks, 
quirks, and so on.  Because NTLM tries to authenticate connections 
instead of requests, thus breaking basic HTTP principles.

The above, actually, is explicitly said in RFC 4559 Errata, see

And that's why I don't recommend using it if possible.  Regardless 
of support in particular software.

Maxim Dounin

More information about the nginx mailing list