Welcome! Log In Create A New Profile

Advanced

Re: WWW-Authenticate in 200 OK response

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
September 14, 2018 07:20PM
Hello!

On Fri, Sep 14, 2018 at 08:59:16PM +0000, Nica, George via nginx wrote:

> I am currently working on a multi-tier application, trying to use nginx as load balancer.
> The issue is that nginx seems to be adding WWW-Authenticate in the 200 OK response after the Kerberos authentication has taken place, which confuses the client. (The client could potentially ignore it, but that's possibly another issue.)
> Not sure this is expected... Any suggestion on how to avoid or work around this?
>
> [2018-09-14 14:46:14.471] root INFO: @@@@@@ Connecting to: 'http://host1:39609/url1'
> send: 'GET /url1 HTTP/1.1\r\nX-Client-User-Name: uname1\r\nAccept-Encoding: gzip\r\nConnection: close\r\nAccept: application/json\r\nUser-Agent: qz.qzdev.run\r\nHost: host1:39609\r\nX-Client-Host-Name: host2\r\nContent-Type: application/json\r\n\r\n'
> reply: 'HTTP/1.1 401 Unauthorized\r\n'
> header: Server: nginx/1.14.0
> header: Date: Fri, 14 Sep 2018 18:46:14 GMT
> header: Content-Type: text/html
> header: Content-Length: 195
> header: Connection: close
> header: WWW-Authenticate: Negotiate
> header: WWW-Authenticate: Basic realm=""
> header: Access-Control-Allow-Credentials: true
> send: 'GET /url1 HTTP/1.1\r\nX-Client-User-Name: uname1\r\nAccept-Encoding: gzip\r\nConnection: close\r\nAccept: application/json\r\nUser-Agent: qz.qzdev.run\r\nHost: host1:39609\r\nX-Client-Host-Name: host2\r\nContent-Type: application/json\r\nAuthorization: Negotiate YII........................ AghEw==\r\n\r\n'
> reply: 'HTTP/1.1 200 OK\r\n'
> header: Server: nginx/1.14.0
> header: Date: Fri, 14 Sep 2018 18:46:14 GMT
> header: Content-Type: application/json
> header: Content-Length: 430908
> header: Connection: close
> header: WWW-Authenticate: Negotiate YI .....gA==
> header: WWW-Authenticate: Basic realm=""
> header: Set-Cookie: session=ey...ZW4; HttpOnly; Path=/
> header: Access-Control-Allow-Credentials: true
> [2018-09-14 14:46:14.779] client_http_auth CRITICAL: GSSAPI failed!

It looks like you are trying to use "WWW-Authenticate: Negotiate"
AKA Integrated Windows Authentication, AKA NTLM authentication.

Unfortunately, this authentication scheme was designed without
following HTTP basic concepts, and authenticates a connection
instead of requests. As such, this authentication scheme cannot
work though a generic HTTP proxy. For NTLM authentication to work
though a proxy, it needs to keep connections to the backend server
alive and bound to corresponding client connections.

The best solution would be to avoid using NTLM authentication for
anything more complex than directly connected servers in
intranets.

If you can't do this for some reason, consider using the "ntlm"
directive, which is available as part of our commercial version,
see http://nginx.org/r/ntlm.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

WWW-Authenticate in 200 OK response

Nica, George via nginx September 14, 2018 05:00PM

Re: WWW-Authenticate in 200 OK response

Maxim Dounin September 14, 2018 07:20PM

RE: WWW-Authenticate in 200 OK response

Nica, George via nginx September 17, 2018 05:20PM

Re: WWW-Authenticate in 200 OK response

Maxim Dounin September 17, 2018 10:00PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 303
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready