Hi Chris, On Tue, Jul 13, 2010 at 10:26:44AM +0100, Chris Sarginson wrote: > Hi guys, > > Just a quick email to check something from the archives. For NTLM > authentication to work, do I need to remove the "option httpclose" from > the backend due to the fact that NTLM authenticates based on the TCP > session, and not the HTTP session?
I agree with you, and this is a big security concern at many places BTW, since it's easy to share keep-alive connections with a proxy with only one auth. > Or are there any other options to work around this now that I have missed. Some people told me they already got NTLM to work over closed connections on the server side. I find this strange, though maybe in some setups it only needs the client's challenge in return to validate both the request and the session at the same time. I don't know well NTLM auth so I may say silliness. However, if you want you can try with "option http-server-close" instead of "option httpclose" and see if it works. But I tend to think that the connection really has to be maintained, so it should not work. At least it's easy to test. Cheers, Willy
