NTLM sharepoint when use nginx reverse proxy

Jason Whittington Jason.Whittington at equifax.com
Fri Feb 23 15:22:14 UTC 2018

I posted this a few weeks ago – I hope it helps you.  I did this with nginx plus, so it may not work if you are using the open-source product.

NTLM authentication authenticates connections instead of requests, and this is somewhat contradicts HTTP protocol, which is expected to be stateless. As a result it doesn't generally work though proxies, including nginx.

NGINX can support it though, you need to use the "ntlm" directive. Below is an [stripped down] example of how I have it set up in front of TFS.  I would think Sharepoint would be very similar.  This has worked very reliably for like a year.

upstream MyNtlmService {

        zone backend;



        #See http://stackoverflow.com/questions/10395807/nginx-close-upstream-connection-after-request

        keepalive 64;

        #See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#ntlm



    server {

        listen 80;

        location / {

            proxy_read_timeout 60s;


            proxy_http_version 1.1;

            proxy_set_header Connection "";

            proxy_pass http:// MyNtlmService /;



From: nginx [mailto:nginx-bounces at nginx.org] On Behalf Of Payam Chychi
Sent: Friday, February 23, 2018 8:05 AM
To: nginx at nginx.org
Subject: [IE] Re: NTLM sharepoint when use nginx reverse proxy

On Fri, Feb 23, 2018 at 4:32 AM Francis Daly <francis at daoine.org<mailto:francis at daoine.org>> wrote:
On Fri, Feb 23, 2018 at 04:15:31AM -0500, sonpg wrote:

Hi there,

> myserver requires NTLM authentication. I access myserver through nginx proxy
> and provide correct auth info,but the browser prompt auth again.


nginx does not support NTLM authentication.

If you need something to reverse-proxy a http server that uses NTLM, you
must write the code to make your nginx do it, or you must use something
that is not stock-nginx.

If you choose the latter, "NGINX Plus" is one thing that does advertise
NTLM support. Other things probably exist too.

Francis Daly        francis at daoine.org<mailto:francis at daoine.org>
nginx mailing list
nginx at nginx.org<mailto:nginx at nginx.org>

Pass it to squid for NTLM auth
Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer
This message contains proprietary information from Equifax which may be confidential. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster at equifax.com. Equifax® is a registered trademark of Equifax Inc. All rights reserved.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180223/0a0b5403/attachment-0001.html>

More information about the nginx mailing list