How to configure apache to basic authentication or allow when ntlm while proxying?

Question

Here is my study case:

browser ---> apache proxy ---> ISA server ---> internet

The ISA server requires an authentication.

The issue is to allow HTTPS through the two proxies.

A configuration that works with HTTP is something like this: (yes, I don't want to use ProxyPass but ProxyRequests)

<virtualhost *:8080>
 ...
 SetEnv auth-proxy-chain on
 ...
 ProxyRequests On
 ProxyRemote * http://isaproxy:80
 ...
 <proxy *>
  AuthName "ISA server auth"
  AuthType Basic
  [here a module to authenticate]
  require valid-user
  Allow from all
 </proxy> 
 ...
 </virtualhost>

The user can authenticate on the apache proxy then the authentication chain is sent to the ISA server that allows the HTTP trafic.

But, while the browser switchs to HTTPS, the ISA server "speaks" NTLM and breaks the authentication on the apache proxy.

If I try to use the SSPI module (ntlm) with something like this:

blablabla

  <proxy *>
    AuthName "ISA server auth"
    AuthType ntlm
    [ SSPI stuff ]
    Require valid-user
    Allow from all
   </proxy>

The apache server reject the authentication (or the ISA server I don't really know).

I use wireshark to look at the nominal process while using directly the ISA server as proxy. The first auth-chain is a BASIC type then it switchs to NTLM (and the challenge continues with NTLM).

How should I configure apache that it transfers the NTLM authentication to the ISA proxy without checking it(*)? Or to rewrite headers to force BASIC authentication?

(*) It seems not to be as easy as it seems...

Why are you using `ProxyRequests`? Why are you authenticating on the Apache server at all? — Shane Madden, Dec 30 '11 at 17:17
I just want to use apache as a forward proxy. If I don't put some authentication on the apache server I can't forward user auth to the ISA server; Or do i miss something ? — trotzim, Jan 02 '12 at 14:07

score 1 · Answer 1 · answered Jan 02 '12 at 18:07

1

If you don't do authentication on the proxy, then the normal authentication process will happen between the ISA server and the client.

If that would work for you, then that's the suggestion that I'd make; there's really no way to double-authenticate in the same headers to both different servers unless the servers are both doing basic authentication with the same credentials.

answered Jan 02 '12 at 18:07

Shane Madden

112,982
12
174
248

I know that, but the normal authentication process do not happen, apache seems to not forward the authentication query and so the ISA server reply a 407 error. I have sthing like this: 1) browser (hhtp query) ---> Apache ---> ISA 2) ISA (auth request) ---> Apache -X-> browser – trotzim Jan 03 '12 at 09:07
The 407 is the proxy telling the client to authenticate.. – Shane Madden Jan 03 '12 at 16:06
1

Is there a way to force basic authentication ? – trotzim Jan 03 '12 at 21:57
Did you ever get this figured out – Tim Wickstrom Apr 06 '12 at 19:58

How to configure apache to basic authentication or allow when ntlm while proxying?

1 Answers1

Linked