Welcome! Log In Create A New Profile

Advanced

Re: WWW-Authenticate in 200 OK response

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
September 17, 2018 10:00PM
Hello!

On Mon, Sep 17, 2018 at 09:18:51PM +0000, Nica, George via nginx wrote:

> Thank you Maxim.
> We are using Kerberos, on Linux. And per-request authentication, we are not trying to use session-level authentication.
> Would the ntlm module help here?

The problem is with "WWW-Authenticate: Negotiate". As it is
specified by rfc4559, and it's screwed up: it authenticates a
connection, and hence cannot properly work through proxies. See
further details here in the RFC, and errata notice for it:

https://tools.ietf.org/html/rfc4559#section-6
https://www.rfc-editor.org/errata_search.php?rfc=4559

If you are trying to proxy to a backend which uses
"WWW-Authenticate: Negotiate", this is likely the problem you are
facing: it cannot work though a proxy. If it's the case, the
"ntlm" directive will help.

But if you are instead trying to authenticate clients on nginx side,
proxying is probably not relevant, see below.

> We are already using spnego-http-auth-nginx-module to help with SPNego/GSSAPI.
> So our issue/incompatibility seems to be between backend / nginx with spnego-http-auth-nginx-module / client. The first two sending/passing the extra headers on the response and the client getting confused by it.
> As you say, nginx is a generic HTTP proxy here, so we will have to figure things out with our server / client / spnego-http-auth-nginx-module.
> Are there any other suggested approaches regarding using nginx and Kerberos?

If the authentication is expected to happen on nginx side, this
can work - assuming the spnego-http-auth-nginx-module does the right
thing.

Looking at the spnego-http-auth-nginx-module I suspect that both
"WWW-Authenticate" headers are generated by the module. Try
looking into the module documentation and sources to find out how
to use it properly. In particular, docs suggest that

auth_gss_allow_basic_fallback off;

will disable "WWW-Authenticate: Basic", and it might make your
client happy.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

WWW-Authenticate in 200 OK response

Nica, George via nginx September 14, 2018 05:00PM

Re: WWW-Authenticate in 200 OK response

Maxim Dounin September 14, 2018 07:20PM

RE: WWW-Authenticate in 200 OK response

Nica, George via nginx September 17, 2018 05:20PM

Re: WWW-Authenticate in 200 OK response

Maxim Dounin September 17, 2018 10:00PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

thippeswamyks
Guests: 310
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready