Advise for NTLM-Auth
Max Clements
max at clements.za.net
Tue Apr 19 17:56:36 UTC 2016
Depending on the versions of Windows and what you are trying to do, it
may be possible to use Kerberos via Nginx, rather than NTLM. It
requires some foo setting up Service Principal Names, but does work
properly via an HTTP proxy, and provides passthrough auth, which seems
to be what the desire here is.
On Mon, Apr 18, 2016 at 11:12 PM, Payam Chychi <pchychi at gmail.com> wrote:
>
>
> On Apr 18, 2016, 6:25 PM -0700, Maxim Dounin <mdounin at mdounin.ru>, wrote:
>
> Hello!
>
> On Mon, Apr 18, 2016 at 02:28:19PM -0700, Payam Chychi wrote:
>
> Maxim Dounin:
>
> Just a side note: NTLM auth is broken by design and violates HTTP
> basic rules. Avoid using it if you can.
>
>
> to be clear: I don't care if it's named NTLM or ugly_voodoo
>
> The goal is a nginx accesses by a IE/edge browser. Users should not be
> bothered with authentication
> as they are already logged on into the windows account.
>
> possible?
>
>
> Im not sure what you do not understand from the reply, NTLM auth is broken.
> This is not about "lets call it Voodoo_melt" and make it work, Windows
> utilizes NTLM, so... what you are trying to use will not work. why? because
> NGINX NTLM does not work.
>
>
> No, you didn't get it. NTLM http auth itself, as "defined" by
> RFC 4559, is broken by design, and it has nothing to do with nginx.
> In anything more complex than "a server and directly connected
> clients" it's expected to require various NTLM-specific hacks,
> quirks, and so on. Because NTLM tries to authenticate connections
> instead of requests, thus breaking basic HTTP principles.
>
> The above, actually, is explicitly said in RFC 4559 Errata, see
> https://www.rfc-editor.org/errata_search.php?rfc=4559.
>
> And that's why I don't recommend using it if possible. Regardless
> of support in particular software.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
>
> Hi Maxim,
>
>
> Broken or not, its what MS supports and its not going anywhere just yet.
>
>
> If he/his application needs ntlm, mainly because of MS based solitions and
> first hand i can say that nginx module v.s squid comes up very short.
>
>
> So in short... If you 'need' ntlm and want a fully working ntlm auth then
> proxy/redir to a squid box, or wrap it in a tcp proxy; lot of ways to make
> something work if you 'must'
>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
--
Monday is an awful way to spend 1/7th of your life...
More information about the nginx
mailing list