Advise for NTLM-Auth

Server NGINX
1

Hello,

currently we run web applications on nginx accessible from MS clients
part of a Windows Domain.
the users are requested to authenticate via Basic-Auth (via HTTPS)
which nginx validate against the
domain activ directory using GitHub - kvspb/nginx-auth-ldap: LDAP authentication module for nginx

But I think the MS browser could do NTLM auth as well.

Are there suggested nginx modules to let a MS browser transparent
login into a webapp run on nginx?
I found GitHub - stnoonan/spnego-http-auth-nginx-module: SPNEGO HTTP Authentication Module for nginx so
far.
Before I start playing I’ll ask if there are other / better /
suggested modules?
(I usually compile nginx+modules myself)

Thanks
Andreas

2

Hello!

On Mon, Apr 18, 2016 at 09:21:53PM +0200, A. Schulze wrote:

Are there suggested nginx modules to let a MS browser transparent login into
a webapp run on nginx?
I found GitHub - stnoonan/spnego-http-auth-nginx-module: SPNEGO HTTP Authentication Module for nginx so far.
Before I start playing I’ll ask if there are other / better / suggested
modules?
(I usually compile nginx+modules myself)

Just a side note: NTLM auth is broken by design and violates HTTP
basic rules. Avoid using it if you can.


Maxim D.
http://nginx.org/

3

Maxim D.:

Just a side note: NTLM auth is broken by design and violates HTTP
basic rules. Avoid using it if you can.

to be clear: I don’t care if it’s named NTLM or ugly_voodoo

The goal is a nginx accesses by a IE/edge browser. Users should not be
bothered with authentication
as they are already logged on into the windows account.

possible?

4

possible?

Im not sure what you do not understand from the reply, NTLM auth is
broken. This is not about “lets call it Voodoo_melt” and make it work,
Windows utilizes NTLM, so… what you are trying to use will not work.
why? because NGINX NTLM does not work.

Now, if you are looking for a solution… a solution you may have.

re-route your authentication to squid which does support NTLM auth . If
this is not what you want to do then you are more than welcome to write
a NTLM auth module that works.

Thanks

5

Hello!

On Mon, Apr 18, 2016 at 02:28:19PM -0700, Payam C. wrote:

possible?

Im not sure what you do not understand from the reply, NTLM auth is broken.
This is not about “lets call it Voodoo_melt” and make it work, Windows
utilizes NTLM, so… what you are trying to use will not work. why? because
NGINX NTLM does not work.

No, you didn’t get it. NTLM http auth itself, as “defined” by
RFC 4559, is broken by design, and it has nothing to do with nginx.
In anything more complex than “a server and directly connected
clients” it’s expected to require various NTLM-specific hacks,
quirks, and so on. Because NTLM tries to authenticate connections
instead of requests, thus breaking basic HTTP principles.

The above, actually, is explicitly said in RFC 4559 Errata, see
RFC Errata Report » RFC Editor.

And that’s why I don’t recommend using it if possible. Regardless
of support in particular software.


Maxim D.
http://nginx.org/

6

Hi.

Am 18-04-2016 22:59, schrieb A. Schulze:

possible?

Well as the commercial one have the ntlm feature for upstream

http://nginx.org/en/docs/http/ngx_http_upstream_module.html#ntlm

maybe there could be a auth_ntlm also for the commercial one?

Best Regards
Aleks

7

Depending on the versions of Windows and what you are trying to do, it
may be possible to use Kerberos via Nginx, rather than NTLM. It
requires some foo setting up Service Principal Names, but does work
properly via an HTTP proxy, and provides passthrough auth, which seems
to be what the desire here is.

On Mon, Apr 18, 2016 at 11:12 PM, Payam C. [email protected]
wrote:

Just a side note: NTLM auth is broken by design and violates HTTP

clients" it’s expected to require various NTLM-specific hacks,
Maxim D.

something work if you ‘must’

nginx mailing list
[email protected]
nginx Info Page


Monday is an awful way to spend 1/7th of your life…

8

Max Clements:

Depending on the versions of Windows and what you are trying to do, it
may be possible to use Kerberos via Nginx, rather than NTLM.

that’s what I mean saying “I don’t care if it’s named NTLM or
ugly_voodoo”
You name it “Kerberos” - fine.

Now I came up with two questions:

  • which module you may suggest
  • what role play the proxy mentioned here not the first time?

A general problem description and how a proxy (reverse-proxy?) solve it
would be nice.

Thanks,
Andreas

9

Andreas,

Kerberos and NTLM are two completely different ways of authenticating
a user. Whilst they essentially do the same thing, the main difference
that you care about is that Kerberos works correctly over HTTP, unlike
NTLM which does not.

  • which module you may suggest
    There are a number of modules that perform kerberos authentication on
    Nginx – this one for example
    GitHub - stnoonan/spnego-http-auth-nginx-module: SPNEGO HTTP Authentication Module for nginx, you should
    select one that meets your needs.

  • what role play the proxy mentioned here not the first time?
    I am using the term generically. Nginx is a proxy to whatever
    application you are running behind it - in the sense that you make a
    request to Nginx from a client, and Nginx sends it (proxies) it to
    your application server - be that a WSGI application or whatever.
    That part I don’t know - but it also really does not matter as your
    problem seems to be pass-through authentication on Nginx?

Now you also need to configure Kerberos and a Keytab file on Nginx for
this all to work. There is a reference on how to configure this with
AD integration here:
https://www.johnthedeveloper.co.uk/single-sign-on-active-directory-php-ubuntu

Ignore the parts on how to configure Apache, the first parts on
configuring kerberos and NTP are relevant, as well as how to make a
keytab file.

–Max

On Tue, Apr 19, 2016 at 12:29 PM, A. Schulze [email protected]
wrote:

Now I came up with two questions:

nginx mailing list
[email protected]
nginx Info Page


Monday is an awful way to spend 1/7th of your life…