Re: WWW-Authenticate in 200 OK response

[Maxim Dounin]

Hello!

On Fri, Sep 14, 2018 at 08:59:16PM +, Nica, George via nginx wrote:

> I am currently working on a multi-tier application, trying to use nginx as 
> load balancer.
> The issue is that nginx seems to be adding WWW-Authenticate in the 200 OK 
> response after the Kerberos authentication has taken place, which confuses 
> the client. (The client could potentially ignore it, but that's possibly 
> another issue.)
> Not sure this is expected... Any suggestion on how to avoid or work around 
> this?
> 
> [2018-09-14 14:46:14.471] root INFO: @@ Connecting to: 
> 'http://host1:39609/url1'
> send: 'GET /url1 HTTP/1.1\r\nX-Client-User-Name: uname1\r\nAccept-Encoding: 
> gzip\r\nConnection: close\r\nAccept: application/json\r\nUser-Agent: 
> qz.qzdev.run\r\nHost: host1:39609\r\nX-Client-Host-Name: 
> host2\r\nContent-Type: application/json\r\n\r\n'
> reply: 'HTTP/1.1 401 Unauthorized\r\n'
> header: Server: nginx/1.14.0
> header: Date: Fri, 14 Sep 2018 18:46:14 GMT
> header: Content-Type: text/html
> header: Content-Length: 195
> header: Connection: close
> header: WWW-Authenticate: Negotiate
> header: WWW-Authenticate: Basic realm=""
> header: Access-Control-Allow-Credentials: true
> send: 'GET /url1 HTTP/1.1\r\nX-Client-User-Name: uname1\r\nAccept-Encoding: 
> gzip\r\nConnection: close\r\nAccept: application/json\r\nUser-Agent: 
> qz.qzdev.run\r\nHost: host1:39609\r\nX-Client-Host-Name: 
> host2\r\nContent-Type: application/json\r\nAuthorization: Negotiate 
> YII AghEw==\r\n\r\n'
> reply: 'HTTP/1.1 200 OK\r\n'
> header: Server: nginx/1.14.0
> header: Date: Fri, 14 Sep 2018 18:46:14 GMT
> header: Content-Type: application/json
> header: Content-Length: 430908
> header: Connection: close
> header: WWW-Authenticate: Negotiate YI .gA==
> header: WWW-Authenticate: Basic realm=""
> header: Set-Cookie: session=ey...ZW4; HttpOnly; Path=/
> header: Access-Control-Allow-Credentials: true
> [2018-09-14 14:46:14.779] client_http_auth CRITICAL: GSSAPI failed!

It looks like you are trying to use "WWW-Authenticate: Negotiate" 
AKA Integrated Windows Authentication, AKA NTLM authentication.

Unfortunately, this authentication scheme was designed without 
following HTTP basic concepts, and authenticates a connection 
instead of requests.  As such, this authentication scheme cannot 
work though a generic HTTP proxy.  For NTLM authentication to work 
though a proxy, it needs to keep connections to the backend server 
alive and bound to corresponding client connections.

The best solution would be to avoid using NTLM authentication for 
anything more complex than directly connected servers in 
intranets.

If you can't do this for some reason, consider using the "ntlm" 
directive, which is available as part of our commercial version, 
see http://nginx.org/r/ntlm.

-- 
Maxim Dounin
http://mdounin.ru/
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

WWW-Authenticate in 200 OK response

[Nica, George via nginx]

I am currently working on a multi-tier application, trying to use nginx as load 
balancer.
The issue is that nginx seems to be adding WWW-Authenticate in the 200 OK 
response after the Kerberos authentication has taken place, which confuses the 
client. (The client could potentially ignore it, but that's possibly another 
issue.)
Not sure this is expected... Any suggestion on how to avoid or work around this?

[2018-09-14 14:46:14.471] root INFO: @@ Connecting to: 
'http://host1:39609/url1'
send: 'GET /url1 HTTP/1.1\r\nX-Client-User-Name: uname1\r\nAccept-Encoding: 
gzip\r\nConnection: close\r\nAccept: application/json\r\nUser-Agent: 
qz.qzdev.run\r\nHost: host1:39609\r\nX-Client-Host-Name: host2\r\nContent-Type: 
application/json\r\n\r\n'
reply: 'HTTP/1.1 401 Unauthorized\r\n'
header: Server: nginx/1.14.0
header: Date: Fri, 14 Sep 2018 18:46:14 GMT
header: Content-Type: text/html
header: Content-Length: 195
header: Connection: close
header: WWW-Authenticate: Negotiate
header: WWW-Authenticate: Basic realm=""
header: Access-Control-Allow-Credentials: true
send: 'GET /url1 HTTP/1.1\r\nX-Client-User-Name: uname1\r\nAccept-Encoding: 
gzip\r\nConnection: close\r\nAccept: application/json\r\nUser-Agent: 
qz.qzdev.run\r\nHost: host1:39609\r\nX-Client-Host-Name: host2\r\nContent-Type: 
application/json\r\nAuthorization: Negotiate YII 
AghEw==\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Server: nginx/1.14.0
header: Date: Fri, 14 Sep 2018 18:46:14 GMT
header: Content-Type: application/json
header: Content-Length: 430908
header: Connection: close
header: WWW-Authenticate: Negotiate YI .gA==
header: WWW-Authenticate: Basic realm=""
header: Set-Cookie: session=ey...ZW4; HttpOnly; Path=/
header: Access-Control-Allow-Credentials: true
[2018-09-14 14:46:14.779] client_http_auth CRITICAL: GSSAPI failed!

Best regards,
George

--
This message, and any attachments, is for the intended recipient(s) only, may 
contain information that is privileged, confidential and/or proprietary and 
subject to important terms and conditions available at 
http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended 
recipient, please delete this message.
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx