Advise for NTLM-Auth

Max Clements max at clements.za.net
Wed Apr 20 00:01:21 UTC 2016


Andreas,

Kerberos and NTLM are two completely different ways of authenticating
a user. Whilst they essentially do the same thing, the main difference
that you care about is that Kerberos works correctly over HTTP, unlike
NTLM which does not.

- which module you may suggest
There are a number of modules that perform kerberos authentication on
Nginx -- this one for example
https://github.com/stnoonan/spnego-http-auth-nginx-module, you should
select one that meets your needs.

- what role play the proxy mentioned here not the first time?
I am using the term generically. Nginx is a proxy to whatever
application you are running behind it - in the sense that you make a
request to Nginx from a client, and Nginx sends it (proxies) it to
your application server - be that a WSGI application or whatever.
That part I don't know - but it also really does not matter as your
problem seems to be pass-through authentication on Nginx?

Now you also need to configure Kerberos and a Keytab file on Nginx for
this all to work.  There is a reference on how to configure this with
AD integration here:
https://www.johnthedeveloper.co.uk/single-sign-on-active-directory-php-ubuntu

Ignore the parts on how to configure Apache, the first parts on
configuring kerberos and NTP are relevant, as well as how to make a
keytab file.

--Max

On Tue, Apr 19, 2016 at 12:29 PM, A. Schulze <sca at andreasschulze.de> wrote:
>
> Max Clements:
>
>> Depending on the versions of Windows and what you are trying to do, it
>> may be possible to use Kerberos via Nginx, rather than NTLM.
>
>
> that's what I mean saying "I don't care if it's named NTLM or ugly_voodoo"
> You name it "Kerberos" - fine.
>
> Now I came up with two questions:
>  - which module you may suggest
>  - what role play the proxy mentioned here not the first time?
>
> A general problem description and how a proxy (reverse-proxy?) solve it
> would be nice.
>
> Thanks,
> Andreas
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



-- 
Monday is an awful way to spend 1/7th of your life...



More information about the nginx mailing list