Re: NTLM sharepoint when use nginx reverse proxy

[Jason Whittington]

I posted this a few weeks ago – I hope it helps you.  I did this with nginx 
plus, so it may not work if you are using the open-source product.


NTLM authentication authenticates connections instead of requests, and this is 
somewhat contradicts HTTP protocol, which is expected to be stateless. As a 
result it doesn't generally work though proxies, including nginx.



NGINX can support it though, you need to use the "ntlm" directive. Below is an 
[stripped down] example of how I have it set up in front of TFS.  I would think 
Sharepoint would be very similar.  This has worked very reliably for like a 
year.



upstream MyNtlmService {

        zone backend;

        server 192.168.0.1:8080;

        server 192.168.0.2:8080;

        #See 
http://stackoverflow.com/questions/10395807/nginx-close-upstream-connection-after-request

        keepalive 64;

        #See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#ntlm

        ntlm;

}

    server {

        listen 80;



        location / {

            proxy_read_timeout 60s;

            
#http://stackoverflow.com/questions/21284935/nginx-reverse-proxy-with-windows-authentication-that-uses-ntlm

            proxy_http_version 1.1;

            proxy_set_header Connection "";



            proxy_pass http:// MyNtlmService /;

        }

    }








From: nginx [mailto:nginx-boun...@nginx.org] On Behalf Of Payam Chychi
Sent: Friday, February 23, 2018 8:05 AM
To: nginx@nginx.org
Subject: [IE] Re: NTLM sharepoint when use nginx reverse proxy


On Fri, Feb 23, 2018 at 4:32 AM Francis Daly 
<fran...@daoine.org<mailto:fran...@daoine.org>> wrote:
On Fri, Feb 23, 2018 at 04:15:31AM -0500, sonpg wrote:

Hi there,

> myserver requires NTLM authentication. I access myserver through nginx proxy
> and provide correct auth info,but the browser prompt auth again.

http://nginx.org/r/ntlm

nginx does not support NTLM authentication.

If you need something to reverse-proxy a http server that uses NTLM, you
must write the code to make your nginx do it, or you must use something
that is not stock-nginx.

If you choose the latter, "NGINX Plus" is one thing that does advertise
NTLM support. Other things probably exist too.

        f
--
Francis Daly        fran...@daoine.org<mailto:fran...@daoine.org>
_______________________________________________
nginx mailing list
nginx@nginx.org<mailto:nginx@nginx.org>
http://mailman.nginx.org/mailman/listinfo/nginx

Pass it to squid for NTLM auth
--
Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer
This message contains proprietary information from Equifax which may be 
confidential. If you are not an intended recipient, please refrain from any 
disclosure, copying, distribution or use of this information and note that such 
actions are prohibited. If you have received this transmission in error, please 
notify by e-mail postmas...@equifax.com. Equifax® is a registered trademark of 
Equifax Inc. All rights reserved.

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx