How to Windows auth working on nginx reverse proxy ???

Maxim Dounin mdounin at mdounin.ru
Mon Jan 9 14:06:15 UTC 2012


Hello!

On Mon, Jan 09, 2012 at 03:00:13AM -0500, cn_nginxer wrote:

> Hello Ryan,
> 
> May I ask an very stupide question, what do you mean by nginx is not
> supported back-end keep-alive?

Backend keepalive http connections are supported since nginx 1.1.4, but 
it doesn't help to proxy NTLM.  See below.

> I checked with wireshark, both NTLM and MD authentication are using the
> same TCP connection, as far as I understand, nginx is just do a forward
> job, so the question is that why nginx could foward the MD request to
> the client but not NTLM request?

NTLM is connection-based and requires the same connection to be 
used for other requests from the client.  It's not going to work 
through http proxy servers as "the same connection for the same 
client" isn't guaranteed by http proxy servers.  See here for 
details:

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true

Digest authentication, in contrast, doesn't rely on the same 
connection to be used.  Instead, client provides data originally 
supplied by the server (nonce value) in each request.  See here 
for details:

http://en.wikipedia.org/wiki/Digest_access_authentication
http://tools.ietf.org/html/rfc2617

Maxim Dounin



More information about the nginx mailing list