Hello everyone!

I'm sorry for my english, I'm french so I hope you will understand my problem.


I have a big problem about ntlm authentication with sharepoint applications and nginx reverse proxy.

I have sharepoint applications using ntlm authentication, and I can't change the authentication method (no Basic, or digest...).
When the client want to connect to sharepoint, requests pass throught a nginx reverse proxy as below:

Client ----------->nginx Reverse Proxy -------------> Sharepoint

When I connect to sharepoint (threw the reverse proxy), it ask me credential again and again and again... and after I can access to the application.

I put a "keepalive 1024 " in the upstream configuration (ntlm authentication require the same tcp connection, otherwise it doesn't work)

I used Wireshark to see what happen, and I saw that several tcp connections are created by the client (each time that a tcp connection is establish an ntlm authentication happen), but when the reverse proxy "forward" packets, it establishes its own tcp connection with sharepoint but mix packets from different tcp connection coming from client. And because of that, sharepoint ask me credentials several time.


It's hard to explain so see below, it can hep you:

View Layer 4 (TCP):
Client1--packet1A---packet2A----packet3A--->RP--->packet1A----packet2B-----packet3A---->Sharepoint
Client1--packet1B---packet2B----packet3B--->RP--->packet1B----packet2A-----packet3B---->Sharepoint

View Layer 7(http):
Client1-------http1--------http2----------http3------->RP------>http1----------http2------------http3-------->Sharepoint


RP is Reverse Proxy
http? is a http request

The probleme is that nginx can see the layer 7 but can't see layer 4. In consequence, http requests will be receive in the good order by sharepoint but with different tcp connection.

Is there a parameter in nginx configuration which allow to forward packets to upstream in keeping same tcp connection from downstream?

I hope you can help me.

Best Regard,

Jon