Welcome! Log In Create A New Profile

Re: Advise for NTLM-Auth

Forum List Message List New Topic Print View

Max Clements

April 19, 2016 02:54PM

Depending on the versions of Windows and what you are trying to do, it
may be possible to use Kerberos via Nginx, rather than NTLM. It
requires some foo setting up Service Principal Names, but does work
properly via an HTTP proxy, and provides passthrough auth, which seems
to be what the desire here is.

On Mon, Apr 18, 2016 at 11:12 PM, Payam Chychi <pchychi@gmail.com> wrote:
>
>
> On Apr 18, 2016, 6:25 PM -0700, Maxim Dounin <mdounin@mdounin.ru>, wrote:
>
> Hello!
>
> On Mon, Apr 18, 2016 at 02:28:19PM -0700, Payam Chychi wrote:
>
> Maxim Dounin:
>
> Just a side note: NTLM auth is broken by design and violates HTTP
> basic rules. Avoid using it if you can.
>
>
> to be clear: I don't care if it's named NTLM or ugly_voodoo
>
> The goal is a nginx accesses by a IE/edge browser. Users should not be
> bothered with authentication
> as they are already logged on into the windows account.
>
> possible?
>
>
> Im not sure what you do not understand from the reply, NTLM auth is broken.
> This is not about "lets call it Voodoo_melt" and make it work, Windows
> utilizes NTLM, so... what you are trying to use will not work. why? because
> NGINX NTLM does not work.
>
>
> No, you didn't get it. NTLM http auth itself, as "defined" by
> RFC 4559, is broken by design, and it has nothing to do with nginx.
> In anything more complex than "a server and directly connected
> clients" it's expected to require various NTLM-specific hacks,
> quirks, and so on. Because NTLM tries to authenticate connections
> instead of requests, thus breaking basic HTTP principles.
>
> The above, actually, is explicitly said in RFC 4559 Errata, see
> https://www.rfc-editor.org/errata_search.php?rfc=4559.
>
> And that's why I don't recommend using it if possible. Regardless
> of support in particular software.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
>
> Hi Maxim,
>
>
> Broken or not, its what MS supports and its not going anywhere just yet.
>
>
> If he/his application needs ntlm, mainly because of MS based solitions and
> first hand i can say that nginx module v.s squid comes up very short.
>
>
> So in short... If you 'need' ntlm and want a fully working ntlm auth then
> proxy/redir to a squid box, or wrap it in a tcp proxy; lot of ways to make
> something work if you 'must'
>
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

--
Monday is an awful way to spend 1/7th of your life...

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Advise for NTLM-Auth	A. Schulze	April 18, 2016 03:24PM
Re: Advise for NTLM-Auth	Maxim Dounin	April 18, 2016 03:48PM
Re: Advise for NTLM-Auth	A. Schulze	April 18, 2016 05:00PM
Re: Advise for NTLM-Auth	unclepieman	April 18, 2016 05:30PM
Re: Advise for NTLM-Auth	Maxim Dounin	April 18, 2016 09:36PM
Re: Advise for NTLM-Auth	unclepieman	April 19, 2016 02:14AM
Re: Advise for NTLM-Auth	Max Clements	April 19, 2016 02:54PM
Re: Advise for NTLM-Auth	A. Schulze	April 19, 2016 03:30PM
Re: Advise for NTLM-Auth	Max Clements	April 19, 2016 08:02PM
Re: Advise for NTLM-Auth	Aleksandar Lazic	April 19, 2016 03:12AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 326

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018