httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: [users@httpd] Apache reverse proxy and IIS integrated authentication
Date Mon, 30 Mar 2009 21:40:58 GMT
Lucas Ferreira wrote:
> Hello,
> I have a Microsoft IIS web server that uses integrated authentication:
> WWW-Authenticate: Negotiate
> WWW-Authenticate: NTLM
> I would like to setup an Apache-based reverse proxy before this web site. I
> have the proxy configured and working for non-authenticated requests, but
> every request that requires authentication fails with a "401 Unauthorized"
> message. If I remove the proxy, the authentication works fine.
> So, is it possible to forward integrated authentication using an Apache
> reverse proxy? If yes, where can I find documentation on this?
This may be a problem because NTLM authentication is really 
connection-based (I mean not really per-request), and the connection 
which the browser has with your proxy, is not the same as the connection 
which the proxy sets up with the back-end server.  For example, it would 
be possible for the proxy to "pool" several client browser connections, 
over a single connection to the back-end server, and that would not 
allow NTLM to work properly.

In a bit more details : NTLM authentication requires multiple exchanges 
between the authenticating server and the browser, and these exchanges 
must happen in a certain ordered sequence, on the same HTTP connection.
So if two browsers (or even two windows in the same browser) each try to 
authenticate to the back-end server, but the proxy multiplexes these 
exchanges over a single connection to the back-end server, then from the 
back-end (IIS) server point of view, the steps are seen as mixed-up (out 
of sequence on that single connection), and it will not work properly.

In summary, I think you are doomed, but I am willing to be proven wrong, 
as the subject is of interest to me also.
Another good place to ask may be the jCIFS list at   >

They are not Apache specialist there, but there are HTTP/NTLM 
specialists lurking there.
Just be nice and ask your question in a general sense, not expecting 
them to be specifically Apache proxy gurus.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message