Welcome! Log In Create A New Profile

Re: Advise for NTLM-Auth

Forum List Message List New Topic Print View

unclepieman

April 19, 2016 02:14AM

Registered: 14 years ago
Posts: 80

On Apr 18, 2016, 6:25 PM -0700, Maxim Dounin<mdounin@mdounin.ru>, wrote:
> Hello!
>
> On Mon, Apr 18, 2016 at 02:28:19PM -0700, Payam Chychi wrote:
>
> > > Maxim Dounin:
> > >
> > > > Just a side note: NTLM auth is broken by design and violates HTTP
> > > > basic rules. Avoid using it if you can.
> > >
> > > to be clear: I don't care if it's named NTLM or ugly_voodoo
> > >
> > > The goal is a nginx accesses by a IE/edge browser. Users should not be
> > > bothered with authentication
> > > as they are already logged on into the windows account.
> > >
> > > possible?
> > >
> >
> > Im not sure what you do not understand from the reply, NTLM auth is broken.
> > This is not about "lets call it Voodoo_melt" and make it work, Windows
> > utilizes NTLM, so... what you are trying to use will not work. why? because
> > NGINX NTLM does not work.
>
> No, you didn't get it. NTLM http auth itself, as "defined" by
> RFC 4559, is broken by design, and it has nothing to do with nginx.
> In anything more complex than "a server and directly connected
> clients" it's expected to require various NTLM-specific hacks,
> quirks, and so on. Because NTLM tries to authenticate connections
> instead of requests, thus breaking basic HTTP principles.
>
> The above, actually, is explicitly said in RFC 4559 Errata, see
> https://www.rfc-editor.org/errata_search.php?rfc=4559.
>
> And that's why I don't recommend using it if possible. Regardless
> of support in particular software.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
> Hi Maxim,
>
> Broken or not, its what MS supports and its not going anywhere just yet.
>
> If he/his application needs ntlm, mainly because of MS based solitions and first hand i can say that nginx module v.s squid comes up very short.
>
> So in short... If you 'need' ntlm and want a fully working ntlm auth then proxy/redir to a squid box, or wrap it in a tcp proxy; lot of ways to make something work if you 'must'
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Advise for NTLM-Auth	A. Schulze	April 18, 2016 03:24PM
Re: Advise for NTLM-Auth	Maxim Dounin	April 18, 2016 03:48PM
Re: Advise for NTLM-Auth	A. Schulze	April 18, 2016 05:00PM
Re: Advise for NTLM-Auth	unclepieman	April 18, 2016 05:30PM
Re: Advise for NTLM-Auth	Maxim Dounin	April 18, 2016 09:36PM
Re: Advise for NTLM-Auth	unclepieman	April 19, 2016 02:14AM
Re: Advise for NTLM-Auth	Max Clements	April 19, 2016 02:54PM
Re: Advise for NTLM-Auth	A. Schulze	April 19, 2016 03:30PM
Re: Advise for NTLM-Auth	Max Clements	April 19, 2016 08:02PM
Re: Advise for NTLM-Auth	Aleksandar Lazic	April 19, 2016 03:12AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 208

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018