How to Windows auth working on nginx reverse proxy?

Server NGINX
1

I config a reverse proxy to Windows IIS 6.0 (windows auth), visit
windows server url is ok.

Visit nginx proxy to this site tips my input pwd & username, repeat this
tips input over, repeat, repeat, repeat, repeat.

this is my nginx config

server {
    listen 80;
    server_name xxx.com;

    location / {
        proxy_pass http://xxx.com;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_max_temp_file_size 0;
        proxy_connect_timeout 30;
        proxy_read_timeout 120;
    }
}

Posted at Nginx Forum:

2

On Thu, Apr 8, 2010 at 2:35 PM, flapjack [email protected] wrote:

I config a reverse proxy to Windows IIS 6.0 (windows auth), visit windows server url is ok.

Visit nginx proxy to this site tips my input pwd & username, repeat this tips input over, repeat, repeat, repeat, repeat.

It won’t work at least until nginx supports backend keep-alive and
connection affinity with the front end. Right now nginx opens and
closes a connection to the back end with each request (like many
caches do). Microsoft NTLM authentication over HTTP requires that
everything happens over a single HTTP connection (in violation of many
HTTP RFCs).
See:
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true

Try using digest authentication on the IIS side instead of NTLM
authentication if your infrastructure supports it. It is equally
secure, and you can use the same username and password. If you’re
already using SSL, basic authentication is fine too. Both of these
options will prompt for a username and password, but you can still use
the windows username and password.


RPM

3

Hello Ryan,

May I ask an very stupide question, what do you mean by nginx is not
supported back-end keep-alive?

I checked with wireshark, both NTLM and MD authentication are using the
same TCP connection, as far as I understand, nginx is just do a forward
job, so the question is that why nginx could foward the MD request to
the client but not NTLM request?

I hope my dull mind will not bother you so much :slight_smile:

Many thanks in advance!

Posted at Nginx Forum:

4

Hello!

On Mon, Jan 09, 2012 at 03:00:13AM -0500, cn_nginxer wrote:

Hello Ryan,

May I ask an very stupide question, what do you mean by nginx is not
supported back-end keep-alive?

Backend keepalive http connections are supported since nginx 1.1.4, but
it doesn’t help to proxy NTLM. See below.

I checked with wireshark, both NTLM and MD authentication are using the
same TCP connection, as far as I understand, nginx is just do a forward
job, so the question is that why nginx could foward the MD request to
the client but not NTLM request?

NTLM is connection-based and requires the same connection to be
used for other requests from the client. It’s not going to work
through http proxy servers as “the same connection for the same
client” isn’t guaranteed by http proxy servers. See here for
details:

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true

Digest authentication, in contrast, doesn’t rely on the same
connection to be used. Instead, client provides data originally
supplied by the server (nonce value) in each request. See here
for details:

Maxim D.

5

Hello Nginx Team,

I finally get the idea about the connection.
It is not a TCP connection, it is a persude connection in HTTP level.
The NTLM will keep the authenticated HTTP connections info for
subsequent connections, so in this case, it should be a bundle TCP
authed connections. And for sure, if it works in this way, every proxy
won’t work with this evil!!! Since this is not the first time I face
difficultis with MS system, I totally do not understand why MS could do
sth that compliable with industrial standard?! I should say MS makes
more valuable, I damned love it!

cn_nginxer

Posted at Nginx Forum:

6

Hello Maxim,

Many thanks for ur timely reply!

But I am still not quite understand about term “connection-based”. I
checked with wireshark again, even NTLM auth schema, it did not just use
one socket to transport the whole data, it also uses several sockets to
transfer a HTML page in parallel. So it works just like Digest
Authentication, at least, in the auth process, they are the same. So I
am totally stuck in here, where is the session info and how does Win NT
keep them? And if what I have noticed was true, why Digest
Authentication worked but not NTLM?

A lonely Nginxer in china :slight_smile:

Posted at Nginx Forum:

7

I’m facing the same problem, the Windows auth cannot work with nginx. I
care about the solution. How you resolve this?

Posted at Nginx Forum:

8

Hello,
Actually there is no solution for time being, what I did was, I use
digest authentication instead. But my case, if NTLM is abandoned the
user need to enter password every time he log into the system, so you
need to put that into your account. Should you have any further
questions do not hesitate to come back to me.

cn_nginxer

Posted at Nginx Forum:

9

LDAP works fine GitHub - kvspb/nginx-auth-ldap: LDAP authentication module for nginx

Posted at Nginx Forum:

10

Hi,

we are now 4 years later, is there a solution now ?
I read things like :

upstream http_backend {
server 1.1.1.1:80;

keepalive 16;

}

server {

location / {
proxy_pass http://http_backend/;
proxy_http_version 1.1;
proxy_set_header Connection “”;

}
}

Is this the solution ?
Somebody tried it ?

thanks a lot

Posted at Nginx Forum:

11

Thanks for this quick reply…
This seems quite hard to implement for someone like me not used with
that.
:slight_smile:

I’ll try if the way described in my previous post do not work

thanks again !

Posted at Nginx Forum:

12

cehes Wrote:

}
This is working fine for us, against IIS and Apache + addon_modules

Heiko

Posted at Nginx Forum:

13

Hi hheiko,

thanks for this update.

i’m trying to access exchange using Outlook anywhere.

Normaly, i would do a “proxy_pass https://ip-of-my-exchange-server

Here, if i understand well, i only have to replace “server 1.1.1.1:80”
in
the sample i gave with “server ip-of-my-exchange-server:443”
and do a “proxy_pass https://http_backend” that’s all and that will
support
Windows auth ?? great !

no problem with https ?

Many thanks

Posted at Nginx Forum:

14

Hello!

On Tue, Feb 16, 2016 at 11:59:27AM -0500, cehes wrote:

and do a “proxy_pass https://http_backend” that’s all and that will support
Windows auth ?? great !

no problem with https ?

This won’t work.
See my response here:

http://mailman.nginx.org/pipermail/nginx/2016-February/049889.html


Maxim D.
http://nginx.org/

15

Hello!

On Tue, Feb 16, 2016 at 03:37:01AM -0500, cehes wrote:

server {

Is this the solution ?
Somebody tried it ?

No, this is not expected to work - unless you are using the server
with exactly one user.

Proper support for Windows Authentication (aka NTLM) requires
connections to backend servers to be bound to particular
connections to clients, as NTLM authenticates connections, not
requests. By using common keepalive pool as in the configuration
above any authentication will basically authenticate arbitrary
clients who happen to use the authenticated connection from the
cache of keepalive connections to upstream servers.

Proper support for proxying NTLM authentication was recently
implemented in our commercial version, see
Module ngx_http_upstream_module.


Maxim D.
http://nginx.org/

16

Hi Maxim an thanks for this reply.

I read your link and i can see that you added the keyword ntlm. You mean
that i won’t have that in the free version and that i have to purchase a
commercial version, that’s the only way, correct ?

I did not even know there were a commercial version :slight_smile:

Posted at Nginx Forum:

17

Hello!

On Wed, Feb 17, 2016 at 05:34:43AM -0500, cehes wrote:

I read your link and i can see that you added the keyword ntlm. You mean
that i won’t have that in the free version and that i have to purchase a
commercial version, that’s the only way, correct ?

Yes. If you want to keep things free, consider switching from
proprietary and non-standard NTLM to standard Basic
authentication.

Alternatively, you can try using stream module to proxy
connections instead of HTTP requests, see
Module ngx_stream_core_module. This
approach has obvious downsides though.


Maxim D.
http://nginx.org/

18

Ok, thanks for this reply.

Where can i find the right version for that ? (the commercial one)
I went on www.nginx.com and saw “nginx plus” is that what you’re talking
about ?
I went on compare version but did not see NTML support.

Will it be easy to upgrade from free version to the right one ?

Do you have an idea of the price, i only see support prices.

Thanks a lot

Posted at Nginx Forum:

19

Hello!

On Thu, Feb 18, 2016 at 05:20:06AM -0500, cehes wrote:

Ok, thanks for this reply.

Where can i find the right version for that ? (the commercial one)
I went on www.nginx.com and saw “nginx plus” is that what you’re talking
about ?

Yes, that’s the only commercial version available.

I went on compare version but did not see NTML support.

The NTLM support is documented here:

http://nginx.org/r/ntlm

Will it be easy to upgrade from free version to the right one ?

It should be, though depends on your particular setup.

Do you have an idea of the price, i only see support prices.

Pricing for nginx plus is available here:

Please use the “contact sales” on nginx.com if you have any
further questions.


Maxim D.
http://nginx.org/

20

Thank you very much for all of that.

Posted at Nginx Forum: