Advise for NTLM-Auth
Payam Chychi
pchychi at gmail.com
Tue Apr 19 06:12:38 UTC 2016
On Apr 18, 2016, 6:25 PM -0700, Maxim Dounin<mdounin at mdounin.ru>, wrote:
> Hello!
>
> On Mon, Apr 18, 2016 at 02:28:19PM -0700, Payam Chychi wrote:
>
> > > Maxim Dounin:
> > >
> > > > Just a side note: NTLM auth is broken by design and violates HTTP
> > > > basic rules. Avoid using it if you can.
> > >
> > > to be clear: I don't care if it's named NTLM or ugly_voodoo
> > >
> > > The goal is a nginx accesses by a IE/edge browser. Users should not be
> > > bothered with authentication
> > > as they are already logged on into the windows account.
> > >
> > > possible?
> > >
> >
> > Im not sure what you do not understand from the reply, NTLM auth is broken.
> > This is not about "lets call it Voodoo_melt" and make it work, Windows
> > utilizes NTLM, so... what you are trying to use will not work. why? because
> > NGINX NTLM does not work.
>
> No, you didn't get it. NTLM http auth itself, as "defined" by
> RFC 4559, is broken by design, and it has nothing to do with nginx.
> In anything more complex than "a server and directly connected
> clients" it's expected to require various NTLM-specific hacks,
> quirks, and so on. Because NTLM tries to authenticate connections
> instead of requests, thus breaking basic HTTP principles.
>
> The above, actually, is explicitly said in RFC 4559 Errata, see
> https://www.rfc-editor.org/errata_search.php?rfc=4559.
>
> And that's why I don't recommend using it if possible. Regardless
> of support in particular software.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
> Hi Maxim,
>
> Broken or not, its what MS supports and its not going anywhere just yet.
>
> If he/his application needs ntlm, mainly because of MS based solitions and first hand i can say that nginx module v.s squid comes up very short.
>
> So in short... If you 'need' ntlm and want a fully working ntlm auth then proxy/redir to a squid box, or wrap it in a tcp proxy; lot of ways to make something work if you 'must'
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160418/a8464967/attachment.html>
More information about the nginx
mailing list