Reverse-proxying an NTLM-protected website
Asked Answered
G

2

5

How do I proxy requests to NTLM-protected websites, like TeamFoundation and SharePoint? I keep getting 401 authentication errors.

Grannias answered 30/1, 2017 at 12:56 Comment(0)
G
16

According to this Microsoft TechNet article, you can't.

Microsoft NTLM uses stateful HTTP, which is a violation of the HTTP/1.1 RFC. It relies on authentication (an affair which involves a handshake with a couple of initial 401 errors) and subsequent connections to be done through the exact same connection from client to server. This makes HTTP proxying nearly impossible, since each request would usually go through either a new or a random connection picked from a pool of open connections. It can be done though.

NGiNX apparently supports this through the "ntlm" option, but this is part of their commercial offering. Apache HTTPD seems to have a couple of experimental patches for this, but this requires rebuilding Apache. TinyProxy doesn't support this either. HAProxy to the rescue!

Here is an example of a running configuration which works - it's a fairly simple setup with a single backend server:

backend backend_tfs
    server static teamfoundation.mycompany.com:8080 check maxconn 3
    mode http
    balance roundrobin
    option http-keep-alive
    option prefer-last-server
    timeout server 30s
    timeout connect 4s

frontend frontend_tfs
    # You probably want something other than 127.0.0.1 here:
    bind 127.0.0.1:8080 name frontend_tfs
    mode http
    option http-keep-alive
    timeout client 30s
    default_backend backend_tfs

The important options here are http-keep-alive and prefer-last-server.

Grannias answered 30/1, 2017 at 12:56 Comment(1)
There are plenty of other options, of course, but Saustrup points out the vial element; you must have state-full communication. the NTLM handshake occurs in HTTP headers, so any load balancing solution that maintains connection from the front end to the back-end will work. This should not be a high bar, as nearly all solutions are geared to this use case.Monochrome
C
0

One more thing for my scenerio;

If you are using ssl both sides(the iis servers and haproxy), the ssl must be same for iis and haproxy server. Otherwise ntlm doesn't work when you want to go iis from haproxy.

Maybe can help someone who has the same problem.

Cocci answered 18/11, 2020 at 6:47 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.