How to configure apache to basic authentication or allow when ntlm while proxying?

Posted by trotzim on Server Fault See other posts from Server Fault or by trotzim
Published on 2011-12-30T14:12:00Z Indexed on 2012/11/22 11:04 UTC
Read the original article Hit count: 216

Filed under:
|
|

Here is my study case:

browser ---> apache proxy ---> ISA server ---> internet

The ISA server requires an authentication.

The issue is to allow HTTPS through the two proxies.

A configuration that works with HTTP is something like this: (yes, I don't want to use ProxyPass but ProxyRequests)

<virtualhost *:8080>
 ...
 SetEnv auth-proxy-chain on
 ...
 ProxyRequests On
 ProxyRemote * http://isaproxy:80
 ...
 <proxy *>
  AuthName "ISA server auth"
  AuthType Basic
  [here a module to authenticate]
  require valid-user
  Allow from all
 </proxy> 
 ...
 </virtualhost>

The user can authenticate on the apache proxy then the authentication chain is sent to the ISA server that allows the HTTP trafic.

But, while the browser switchs to HTTPS, the ISA server "speaks" NTLM and breaks the authentication on the apache proxy.


If I try to use the SSPI module (ntlm) with something like this:

blablabla

  <proxy *>
    AuthName "ISA server auth"
    AuthType ntlm
    [ SSPI stuff ]
    Require valid-user
    Allow from all
   </proxy>

The apache server reject the authentication (or the ISA server I don't really know).


I use wireshark to look at the nominal process while using directly the ISA server as proxy. The first auth-chain is a BASIC type then it switchs to NTLM (and the challenge continues with NTLM).

How should I configure apache that it transfers the NTLM authentication to the ISA proxy without checking it(*)? Or to rewrite headers to force BASIC authentication?

(*) It seems not to be as easy as it seems...

© Server Fault or respective owner

Related posts about apache2

Related posts about proxy