Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Fastream Technologies wrote: > On Sat, Dec 18, 2010 at 6:49 PM, Arno Garrels > wrote: > >> Fastream Technologies wrote: >>> Hi, >>> >>> We just need to use the AD domain server as a user database to >>> authenticate users according to the domain sets IQP admin desires. I >>> believe there should be a way to connect to AD directory server and >>> ask if domain\usern...@password is valid or not! (the syntax may be >>> different but I guess you get what I mean). >> >> Just a side note: You'll never see the password. > > > Indeed. No problem anyway. Exiting, if there was no problem, why don't you implement this beating feature on your own? -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
On Sat, Dec 18, 2010 at 6:49 PM, Arno Garrels wrote: > Fastream Technologies wrote: > > Hi, > > > > We just need to use the AD domain server as a user database to > > authenticate users according to the domain sets IQP admin desires. I > > believe there should be a way to connect to AD directory server and > > ask if domain\usern...@password is valid or not! (the syntax may be > > different but I guess you get what I mean). > > Just a side note: You'll never see the password. Indeed. No problem anyway. SZ -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Fastream Technologies wrote: > Hi, > > We just need to use the AD domain server as a user database to > authenticate users according to the domain sets IQP admin desires. I > believe there should be a way to connect to AD directory server and > ask if domain\usern...@password is valid or not! (the syntax may be > different but I guess you get what I mean). Just a side note: You'll never see the password. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Hi, We just need to use the AD domain server as a user database to authenticate users according to the domain sets IQP admin desires. I believe there should be a way to connect to AD directory server and ask if domain\usern...@password is valid or not! (the syntax may be different but I guess you get what I mean). Regards, SZ On Fri, Dec 17, 2010 at 7:26 PM, Arno Garrels wrote: > Fastream Technologies wrote: > > Hi Arno, > > > > On Fri, Dec 17, 2010 at 12:22 PM, Arno Garrels > > wrote: > > > >> Fastream Technologies wrote: > >>> Let's say the web server is listening on the IP 192.168.2.2. A > >>> virtual server is an Apache term for two domains on the same IP > >>> such as www.domain1.com and www.domain2.com . We want people who > >>> log on to domain1 to be authenticated against NTLMdomain1 and > >>> domain2 to NTLMdomain2. > >> > >> If you forward the request you have to forward the NTLM requests as > >> well, authentication happens on the destination server and the proxy > >> must not have membership in destination server's Windows domain. > >> > >> If the content is cached by the proxy and IF the proxy machine is a > >> member of destination server's Windows domain I strongly _guess that > >> it is not required to specify a domain target. Otherwise I guess that > >> IF the proxy is not a member of destination server's Windows domain > >> you have a problem that cannot be resolved easily. > >> > >> I wonder how you can sell a product with untested features. > >> I suggest that you first setup different domain environments and test > >> the product, you do not need much hardware for this, VMs will do. > >> I guess there are even trial versions of Windows server editions > >> available in case you don't have enough licenses. > >> > >> > > We have already downloaded trial Win2008R2. Let me elaborate our > > customers' needs: > > > > They want to authenticate the end users on the reverse proxy. I mean > > the web server will not have authentication on! The reverse proxy > > will first authenticate then connect to target web server and > > GET/POST/HEAD... Actually IQP already does all these but only to the > > AD domain the rproxy machine is logged on to. The customers have much > > more complex environments, with multiple domains etc. They need to > > have sales.company.com to be authenticated against the NTLM domain > > "sales" and support.company.com to be authenticated against the NTLM > > domain "support". The admin of the proxy will just assign the NTLM > > domains to the URL Rules (HTTP domain names in this example) and it > > should work--simply! > > Are there any other proxy servers with such a feature available? > I doubt that it is possible, but I'm not a specialist in Active > Directory. > > What might work, for instance, if "sales" was a child domain of parent > domain "company.com" and if clients authenticate with the domain > target in user name like "sales.company.com\username" or > "company.com\username", however even that depends on the domain > setup AFAIK. > > -- > Arno Garrels > > -- > To unsubscribe or change your settings for TWSocket mailing list > please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket > Visit our website at http://www.overbyte.be > -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Fastream Technologies wrote: > Hi Arno, > > On Fri, Dec 17, 2010 at 12:22 PM, Arno Garrels > wrote: > >> Fastream Technologies wrote: >>> Let's say the web server is listening on the IP 192.168.2.2. A >>> virtual server is an Apache term for two domains on the same IP >>> such as www.domain1.com and www.domain2.com . We want people who >>> log on to domain1 to be authenticated against NTLMdomain1 and >>> domain2 to NTLMdomain2. >> >> If you forward the request you have to forward the NTLM requests as >> well, authentication happens on the destination server and the proxy >> must not have membership in destination server's Windows domain. >> >> If the content is cached by the proxy and IF the proxy machine is a >> member of destination server's Windows domain I strongly _guess that >> it is not required to specify a domain target. Otherwise I guess that >> IF the proxy is not a member of destination server's Windows domain >> you have a problem that cannot be resolved easily. >> >> I wonder how you can sell a product with untested features. >> I suggest that you first setup different domain environments and test >> the product, you do not need much hardware for this, VMs will do. >> I guess there are even trial versions of Windows server editions >> available in case you don't have enough licenses. >> >> > We have already downloaded trial Win2008R2. Let me elaborate our > customers' needs: > > They want to authenticate the end users on the reverse proxy. I mean > the web server will not have authentication on! The reverse proxy > will first authenticate then connect to target web server and > GET/POST/HEAD... Actually IQP already does all these but only to the > AD domain the rproxy machine is logged on to. The customers have much > more complex environments, with multiple domains etc. They need to > have sales.company.com to be authenticated against the NTLM domain > "sales" and support.company.com to be authenticated against the NTLM > domain "support". The admin of the proxy will just assign the NTLM > domains to the URL Rules (HTTP domain names in this example) and it > should work--simply! Are there any other proxy servers with such a feature available? I doubt that it is possible, but I'm not a specialist in Active Directory. What might work, for instance, if "sales" was a child domain of parent domain "company.com" and if clients authenticate with the domain target in user name like "sales.company.com\username" or "company.com\username", however even that depends on the domain setup AFAIK. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Hi Arno, On Fri, Dec 17, 2010 at 12:22 PM, Arno Garrels wrote: > Fastream Technologies wrote: > > Let's say the web server is listening on the IP 192.168.2.2. A virtual > > server is an Apache term for two domains on the same IP such as > > www.domain1.com and www.domain2.com . We want people who log on to > > domain1 to be authenticated against NTLMdomain1 and domain2 to > > NTLMdomain2. > > If you forward the request you have to forward the NTLM requests as well, > authentication happens on the destination server and the proxy must not > have membership in destination server's Windows domain. > > If the content is cached by the proxy and IF the proxy machine is a > member of destination server's Windows domain I strongly _guess that > it is not required to specify a domain target. Otherwise I guess that > IF the proxy is not a member of destination server's Windows domain > you have a problem that cannot be resolved easily. > > I wonder how you can sell a product with untested features. > I suggest that you first setup different domain environments and test > the product, you do not need much hardware for this, VMs will do. > I guess there are even trial versions of Windows server editions available > in case you don't have enough licenses. > > We have already downloaded trial Win2008R2. Let me elaborate our customers' needs: They want to authenticate the end users on the reverse proxy. I mean the web server will not have authentication on! The reverse proxy will first authenticate then connect to target web server and GET/POST/HEAD... Actually IQP already does all these but only to the AD domain the rproxy machine is logged on to. The customers have much more complex environments, with multiple domains etc. They need to have sales.company.com to be authenticated against the NTLM domain "sales" and support.company.com to be authenticated against the NTLM domain "support". The admin of the proxy will just assign the NTLM domains to the URL Rules (HTTP domain names in this example) and it should work--simply! Regards, SZ -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Fastream Technologies wrote: > Let's say the web server is listening on the IP 192.168.2.2. A virtual > server is an Apache term for two domains on the same IP such as > www.domain1.com and www.domain2.com . We want people who log on to > domain1 to be authenticated against NTLMdomain1 and domain2 to > NTLMdomain2. If you forward the request you have to forward the NTLM requests as well, authentication happens on the destination server and the proxy must not have membership in destination server's Windows domain. If the content is cached by the proxy and IF the proxy machine is a member of destination server's Windows domain I strongly _guess that it is not required to specify a domain target. Otherwise I guess that IF the proxy is not a member of destination server's Windows domain you have a problem that cannot be resolved easily. I wonder how you can sell a product with untested features. I suggest that you first setup different domain environments and test the product, you do not need much hardware for this, VMs will do. I guess there are even trial versions of Windows server editions available in case you don't have enough licenses. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Let's say the web server is listening on the IP 192.168.2.2. A virtual server is an Apache term for two domains on the same IP such as www.domain1.com and www.domain2.com . We want people who log on to domain1 to be authenticated against NTLMdomain1 and domain2 to NTLMdomain2. These should be configurable by the admin user (let's say the application programmer will assignt the property NTLMDomain in OnGetDocument. Sorry for my "quick" English. HTH, SZ On Fri, Dec 17, 2010 at 10:47 AM, Francois PIETTE wrote: > Alright. Let's say there are two virtual servers, one per domain on the ICS >> web server. For example in OnGetDocument, you assign different >> TFileStream's >> to different FRequestHost's. I need each HTTP domain's user set to >> authenticate against a different AD/NTLM domain. It will be the >> application >> programmer/admin-configuration responsible for setting the NTLM domain >> name >> with respect to the FRequestHost. One future feature might be the ability >> to >> enable multiple NTLM domains per FRequestHost of which the end user would >> choose from by the syntax domain\user while logging in. >> > > Sorry, I don't understand, even the first sentence. > > -- > francois.pie...@overbyte.be > http://www.overbyte.be > > > -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Alright. Let's say there are two virtual servers, one per domain on the ICS web server. For example in OnGetDocument, you assign different TFileStream's to different FRequestHost's. I need each HTTP domain's user set to authenticate against a different AD/NTLM domain. It will be the application programmer/admin-configuration responsible for setting the NTLM domain name with respect to the FRequestHost. One future feature might be the ability to enable multiple NTLM domains per FRequestHost of which the end user would choose from by the syntax domain\user while logging in. Sorry, I don't understand, even the first sentence. -- francois.pie...@overbyte.be http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Hello, Alright. Let's say there are two virtual servers, one per domain on the ICS web server. For example in OnGetDocument, you assign different TFileStream's to different FRequestHost's. I need each HTTP domain's user set to authenticate against a different AD/NTLM domain. It will be the application programmer/admin-configuration responsible for setting the NTLM domain name with respect to the FRequestHost. One future feature might be the ability to enable multiple NTLM domains per FRequestHost of which the end user would choose from by the syntax domain\user while logging in. Best Regards, SZ On Thu, Dec 16, 2010 at 9:35 PM, Arno Garrels wrote: > Fastream Technologies wrote: > > On Thu, Dec 16, 2010 at 7:51 PM, Arno Garrels > > wrote: > > > >> Fastream Technologies wrote: > >>> Hello, > >>> > >>> On Thu, Dec 16, 2010 at 7:04 PM, Arno Garrels > >>> wrote: > >>> > Fastream Technologies wrote: > > Hello, > > > > On Thu, Dec 16, 2010 at 5:00 PM, Arno Garrels > > wrote: > > > >> Fastream Technologies wrote: > >>> So since we are talking about the web server, the NTLMDomain > >>> property should be of THttpConnection, NOT the THttpServer. In > >>> the OnGet/Head/PostDocument it should be set by the app coder > >>> or if it is not set then it will be null hence work as it is > >>> now. > >> > >>> I was talking about the web server but the client also needs > >>> some mechanism to indicate the NTLM domain so that it can send > >>> request to the web server in case of NTLM on the web server. > >>> But wait a minute, when there is reverse proxy sitting in > >>> front, web servers cannot authenticate with NTLM, can they? > >> > >> Important to know for readers was how exactly the NTLM > >> authentication is handled by your proxy _currently_ and in what > >> way you want to change that design, nobody nows that so far. > >> Adding a string property is a matter of two lines of code, even a > >> BCB developer should be able to do that in Delphi. > >> > >> > > You are right. When IQP receives the request, in the > > ProcessRequest() it scans the defined URL Rules set by the end > > user from top to bottom for a match to decide which target web > > server to route/redirect to. A URL Rule list could be like, > > > > 1. ssl://www.fastream.com/owa > > 2. http://www.fastream.com/path/file.htm ("URL Rule is file" flag > > set) > > 3. *://www.iqproxyserver.com [2] > > 4. *://www.iqproxyserver.com > > 5. *://* > > > > The last one must be *://* as a catch-all. We enabled 3. and 4. in > > the same list in from v4.5 on to let users route to different > > target server IP/port/path with respect to client location > > (country). See http://www.iqproxyserver.com (home page, bottom) > > for a screenshot example of this. > > > > Now, I want each URL Rule to be able to have one NTLM domain to > > authenticate against. > > For what reason? What does currently not work? > Give us an example please. > > > >>> Personally I never needed such feature but customers who use reverse > >>> proxy as SSL VPN they say they need it. > >> > >> So, the question remains "What kind of feature?". > >> > > > > Each URL Rule should be able to authenticate against a configurable AD > > domain! > > If you are not able to specify the "feature" more detailed you have to add > one or two zeros to your offer (at least) or otherwise try to find someone > in india. There should be tons of mails in your spam-folder offering > software development for nothing. > > -- > Arno Garrels > > > -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Fastream Technologies wrote: > On Thu, Dec 16, 2010 at 7:51 PM, Arno Garrels > wrote: > >> Fastream Technologies wrote: >>> Hello, >>> >>> On Thu, Dec 16, 2010 at 7:04 PM, Arno Garrels >>> wrote: >>> Fastream Technologies wrote: > Hello, > > On Thu, Dec 16, 2010 at 5:00 PM, Arno Garrels > wrote: > >> Fastream Technologies wrote: >>> So since we are talking about the web server, the NTLMDomain >>> property should be of THttpConnection, NOT the THttpServer. In >>> the OnGet/Head/PostDocument it should be set by the app coder >>> or if it is not set then it will be null hence work as it is >>> now. >> >>> I was talking about the web server but the client also needs >>> some mechanism to indicate the NTLM domain so that it can send >>> request to the web server in case of NTLM on the web server. >>> But wait a minute, when there is reverse proxy sitting in >>> front, web servers cannot authenticate with NTLM, can they? >> >> Important to know for readers was how exactly the NTLM >> authentication is handled by your proxy _currently_ and in what >> way you want to change that design, nobody nows that so far. >> Adding a string property is a matter of two lines of code, even a >> BCB developer should be able to do that in Delphi. >> >> > You are right. When IQP receives the request, in the > ProcessRequest() it scans the defined URL Rules set by the end > user from top to bottom for a match to decide which target web > server to route/redirect to. A URL Rule list could be like, > > 1. ssl://www.fastream.com/owa > 2. http://www.fastream.com/path/file.htm ("URL Rule is file" flag > set) > 3. *://www.iqproxyserver.com [2] > 4. *://www.iqproxyserver.com > 5. *://* > > The last one must be *://* as a catch-all. We enabled 3. and 4. in > the same list in from v4.5 on to let users route to different > target server IP/port/path with respect to client location > (country). See http://www.iqproxyserver.com (home page, bottom) > for a screenshot example of this. > > Now, I want each URL Rule to be able to have one NTLM domain to > authenticate against. For what reason? What does currently not work? Give us an example please. >>> Personally I never needed such feature but customers who use reverse >>> proxy as SSL VPN they say they need it. >> >> So, the question remains "What kind of feature?". >> > > Each URL Rule should be able to authenticate against a configurable AD > domain! If you are not able to specify the "feature" more detailed you have to add one or two zeros to your offer (at least) or otherwise try to find someone in india. There should be tons of mails in your spam-folder offering software development for nothing. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Each URL Rule should be able to authenticate against a configurable AD domain! This is not ICS component language. Please translate this into client or server component behaviour. Be clear about which component you talk about. -- francois.pie...@overbyte.be The author of the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Personally I never needed such feature but customers who use reverse proxy as SSL VPN they say they need it. Is it possible for you the clearly defines the requirements, not in terms of your own application, but in terms of HTTP client and server components ? Describe why and how the current behaviour doesn't fit your requirements. Describe what has to change and how. Describe some use case, again not in term of your application, but in term of ICS component. -- francois.pie...@overbyte.be The author of the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
On Thu, Dec 16, 2010 at 7:51 PM, Arno Garrels wrote: > Fastream Technologies wrote: > > Hello, > > > > On Thu, Dec 16, 2010 at 7:04 PM, Arno Garrels > > wrote: > > > >> Fastream Technologies wrote: > >>> Hello, > >>> > >>> On Thu, Dec 16, 2010 at 5:00 PM, Arno Garrels > >>> wrote: > >>> > Fastream Technologies wrote: > > So since we are talking about the web server, the NTLMDomain > > property should be of THttpConnection, NOT the THttpServer. In the > > OnGet/Head/PostDocument it should be set by the app coder or if it > > is not set then it will be null hence work as it is now. > > > I was talking about the web server but the client also needs some > > mechanism to indicate the NTLM domain so that it can send request > > to the web server in case of NTLM on the web server. But wait a > > minute, when there is reverse proxy sitting in front, web servers > > cannot authenticate with NTLM, can they? > > Important to know for readers was how exactly the NTLM > authentication is handled by your proxy _currently_ and in what > way you want to change that design, nobody nows that so far. > Adding a string property is a matter of two lines of code, even a > BCB developer should be able to do that in Delphi. > > > >>> You are right. When IQP receives the request, in the > >>> ProcessRequest() it scans the defined URL Rules set by the end user > >>> from top to bottom for a match to decide which target web server to > >>> route/redirect to. A URL Rule list could be like, > >>> > >>> 1. ssl://www.fastream.com/owa > >>> 2. http://www.fastream.com/path/file.htm ("URL Rule is file" flag > >>> set) > >>> 3. *://www.iqproxyserver.com [2] > >>> 4. *://www.iqproxyserver.com > >>> 5. *://* > >>> > >>> The last one must be *://* as a catch-all. We enabled 3. and 4. in > >>> the same list in from v4.5 on to let users route to different target > >>> server IP/port/path with respect to client location (country). See > >>> http://www.iqproxyserver.com (home page, bottom) for a screenshot > >>> example of this. > >>> > >>> Now, I want each URL Rule to be able to have one NTLM domain to > >>> authenticate against. > >> > >> For what reason? What does currently not work? > >> Give us an example please. > >> > >> > > Personally I never needed such feature but customers who use reverse > > proxy as SSL VPN they say they need it. > > So, the question remains "What kind of feature?". > Each URL Rule should be able to authenticate against a configurable AD domain! SZ > > -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Fastream Technologies wrote: > Hello, > > On Thu, Dec 16, 2010 at 7:04 PM, Arno Garrels > wrote: > >> Fastream Technologies wrote: >>> Hello, >>> >>> On Thu, Dec 16, 2010 at 5:00 PM, Arno Garrels >>> wrote: >>> Fastream Technologies wrote: > So since we are talking about the web server, the NTLMDomain > property should be of THttpConnection, NOT the THttpServer. In the > OnGet/Head/PostDocument it should be set by the app coder or if it > is not set then it will be null hence work as it is now. > I was talking about the web server but the client also needs some > mechanism to indicate the NTLM domain so that it can send request > to the web server in case of NTLM on the web server. But wait a > minute, when there is reverse proxy sitting in front, web servers > cannot authenticate with NTLM, can they? Important to know for readers was how exactly the NTLM authentication is handled by your proxy _currently_ and in what way you want to change that design, nobody nows that so far. Adding a string property is a matter of two lines of code, even a BCB developer should be able to do that in Delphi. >>> You are right. When IQP receives the request, in the >>> ProcessRequest() it scans the defined URL Rules set by the end user >>> from top to bottom for a match to decide which target web server to >>> route/redirect to. A URL Rule list could be like, >>> >>> 1. ssl://www.fastream.com/owa >>> 2. http://www.fastream.com/path/file.htm ("URL Rule is file" flag >>> set) >>> 3. *://www.iqproxyserver.com [2] >>> 4. *://www.iqproxyserver.com >>> 5. *://* >>> >>> The last one must be *://* as a catch-all. We enabled 3. and 4. in >>> the same list in from v4.5 on to let users route to different target >>> server IP/port/path with respect to client location (country). See >>> http://www.iqproxyserver.com (home page, bottom) for a screenshot >>> example of this. >>> >>> Now, I want each URL Rule to be able to have one NTLM domain to >>> authenticate against. >> >> For what reason? What does currently not work? >> Give us an example please. >> >> > Personally I never needed such feature but customers who use reverse > proxy as SSL VPN they say they need it. So, the question remains "What kind of feature?". -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Hello, On Thu, Dec 16, 2010 at 7:04 PM, Arno Garrels wrote: > Fastream Technologies wrote: > > Hello, > > > > On Thu, Dec 16, 2010 at 5:00 PM, Arno Garrels > > wrote: > > > >> Fastream Technologies wrote: > >>> So since we are talking about the web server, the NTLMDomain > >>> property should be of THttpConnection, NOT the THttpServer. In the > >>> OnGet/Head/PostDocument it should be set by the app coder or if it > >>> is not set then it will be null hence work as it is now. > >> > >>> I was talking about the web server but the client also needs some > >>> mechanism to indicate the NTLM domain so that it can send request to > >>> the web server in case of NTLM on the web server. But wait a minute, > >>> when there is reverse proxy sitting in front, web servers cannot > >>> authenticate with NTLM, can they? > >> > >> Important to know for readers was how exactly the NTLM authentication > >> is handled by your proxy _currently_ and in what way you want to > >> change that design, nobody nows that so far. > >> Adding a string property is a matter of two lines of code, even a BCB > >> developer should be able to do that in Delphi. > >> > >> > > You are right. When IQP receives the request, in the ProcessRequest() > > it scans the defined URL Rules set by the end user from top to bottom > > for a match to decide which target web server to route/redirect to. A > > URL Rule list could be like, > > > > 1. ssl://www.fastream.com/owa > > 2. http://www.fastream.com/path/file.htm ("URL Rule is file" flag set) > > 3. *://www.iqproxyserver.com [2] > > 4. *://www.iqproxyserver.com > > 5. *://* > > > > The last one must be *://* as a catch-all. We enabled 3. and 4. in > > the same list in from v4.5 on to let users route to different target > > server IP/port/path with respect to client location (country). See > > http://www.iqproxyserver.com (home page, bottom) for a screenshot > > example of this. > > > > Now, I want each URL Rule to be able to have one NTLM domain to > > authenticate against. > > For what reason? What does currently not work? > Give us an example please. > > Personally I never needed such feature but customers who use reverse proxy as SSL VPN they say they need it. Regards, SZ -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Fastream Technologies wrote: > Hello, > > On Thu, Dec 16, 2010 at 5:00 PM, Arno Garrels > wrote: > >> Fastream Technologies wrote: >>> So since we are talking about the web server, the NTLMDomain >>> property should be of THttpConnection, NOT the THttpServer. In the >>> OnGet/Head/PostDocument it should be set by the app coder or if it >>> is not set then it will be null hence work as it is now. >> >>> I was talking about the web server but the client also needs some >>> mechanism to indicate the NTLM domain so that it can send request to >>> the web server in case of NTLM on the web server. But wait a minute, >>> when there is reverse proxy sitting in front, web servers cannot >>> authenticate with NTLM, can they? >> >> Important to know for readers was how exactly the NTLM authentication >> is handled by your proxy _currently_ and in what way you want to >> change that design, nobody nows that so far. >> Adding a string property is a matter of two lines of code, even a BCB >> developer should be able to do that in Delphi. >> >> > You are right. When IQP receives the request, in the ProcessRequest() > it scans the defined URL Rules set by the end user from top to bottom > for a match to decide which target web server to route/redirect to. A > URL Rule list could be like, > > 1. ssl://www.fastream.com/owa > 2. http://www.fastream.com/path/file.htm ("URL Rule is file" flag set) > 3. *://www.iqproxyserver.com [2] > 4. *://www.iqproxyserver.com > 5. *://* > > The last one must be *://* as a catch-all. We enabled 3. and 4. in > the same list in from v4.5 on to let users route to different target > server IP/port/path with respect to client location (country). See > http://www.iqproxyserver.com (home page, bottom) for a screenshot > example of this. > > Now, I want each URL Rule to be able to have one NTLM domain to > authenticate against. For what reason? What does currently not work? Give us an example please. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Hello, On Thu, Dec 16, 2010 at 5:00 PM, Arno Garrels wrote: > Fastream Technologies wrote: > > So since we are talking about the web server, the NTLMDomain property > > should be of THttpConnection, NOT the THttpServer. In the > > OnGet/Head/PostDocument it should be set by the app coder or if it is > > not set then it will be null hence work as it is now. > > > I was talking about the web server but the client also needs some > > mechanism to indicate the NTLM domain so that it can send request to > > the web server in case of NTLM on the web server. But wait a minute, > > when there is reverse proxy sitting in front, web servers cannot > > authenticate with NTLM, can they? > > Important to know for readers was how exactly the NTLM authentication > is handled by your proxy _currently_ and in what way you want to change > that design, nobody nows that so far. > Adding a string property is a matter of two lines of code, even a BCB > developer should be able to do that in Delphi. > > You are right. When IQP receives the request, in the ProcessRequest() it scans the defined URL Rules set by the end user from top to bottom for a match to decide which target web server to route/redirect to. A URL Rule list could be like, 1. ssl://www.fastream.com/owa 2. http://www.fastream.com/path/file.htm ("URL Rule is file" flag set) 3. *://www.iqproxyserver.com [2] 4. *://www.iqproxyserver.com 5. *://* The last one must be *://* as a catch-all. We enabled 3. and 4. in the same list in from v4.5 on to let users route to different target server IP/port/path with respect to client location (country). See http://www.iqproxyserver.com (home page, bottom) for a screenshot example of this. Now, I want each URL Rule to be able to have one NTLM domain to authenticate against. I hope it is clearer now. Best Regards, SubZero -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Fastream Technologies wrote: > So since we are talking about the web server, the NTLMDomain property > should be of THttpConnection, NOT the THttpServer. In the > OnGet/Head/PostDocument it should be set by the app coder or if it is > not set then it will be null hence work as it is now. > I was talking about the web server but the client also needs some > mechanism to indicate the NTLM domain so that it can send request to > the web server in case of NTLM on the web server. But wait a minute, > when there is reverse proxy sitting in front, web servers cannot > authenticate with NTLM, can they? Important to know for readers was how exactly the NTLM authentication is handled by your proxy _currently_ and in what way you want to change that design, nobody nows that so far. Adding a string property is a matter of two lines of code, even a BCB developer should be able to do that in Delphi. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
So since we are talking about the web server, the NTLMDomain property should be of THttpConnection, NOT the THttpServer. In the OnGet/Head/PostDocument it should be set by the app coder or if it is not set then it will be null hence work as it is now. Regards, SZ On Thu, Dec 16, 2010 at 4:15 PM, Fastream Technologies wrote: > Dear Arno, > > I was talking about the web server but the client also needs some mechanism > to indicate the NTLM domain so that it can send request to the web server in > case of NTLM on the web server. But wait a minute, when there is reverse > proxy sitting in front, web servers cannot authenticate with NTLM, can they? > > Regards, > > SZ > > > On Thu, Dec 16, 2010 at 4:11 PM, Arno Garrels wrote: > >> Fastream Technologies wrote: >> > Sorry for the confusion. I meant there should be a new event with a >> > reference String variable which would be set by the application >> > programmer to set the NTLM domain before the NTLM message 1 is sent. >> >> > Or maybe there could just be a new String property which would be >> > null by default (for the current domain). >> >> Are you still talking about the THttpServer? >> >> > >> > What our users need from our reverse proxy is to be able to connect >> > to NTLM domain #1 for a URL such as www.domain.com/app1 and NTLM >> > domain #2 for a URL such as www.domain.com/app2. It could be some >> > other HTTP domain as well (multi-homed). So we need a flexible >> > solution such as the one I described. >> >> That sounds more like changes of the THttpCli. >> >> Is the server-side in your proxy authenticating the clients? >> >> Unfortunately my cristal ball is still under repair. >> >> -- >> Arno Garrels >> >> > >> > Regards, >> > >> > SZ >> > >> > On Thu, Dec 16, 2010 at 3:21 PM, Arno Garrels >> > wrote: >> > >> >> Fastream Technologies wrote: >> >>> Anybody else who need this feature want to be a sponsor for it? As I >> >>> said we offer $180 if it could be completed until January 1st. >> >> >> >>> Anybody else who need this feature want to be a sponsor for it? As >> >>> I said we offer $180 if it could be completed until January 1st. >> >> >> >> >> >> Your offer was: >> >> >> >>> I thought I should have made our offer more concrete. We would like >> >>> to offer $180 to a coder who can make the ICS code advancement so >> >>> that an event with a reference variable called NTLMDomain would >> >>> return the NTLM domain to authenticate against after the request is >> >>> received for HTTPS server. Anybody interested should contact me >> >>> from ga...@fastream.com. We can pay with Paypal. >> >> >> >> >> >> I wonder what you mean by "feature"? Just "returning" the target >> >> domain is an >> >> easy task. At least you should be able to phrase the task correctly >> >> or pay somebody else to do it for you. >> >> >> >> -- >> >> Arno Garrels >> > -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Dear Arno, I was talking about the web server but the client also needs some mechanism to indicate the NTLM domain so that it can send request to the web server in case of NTLM on the web server. But wait a minute, when there is reverse proxy sitting in front, web servers cannot authenticate with NTLM, can they? Regards, SZ On Thu, Dec 16, 2010 at 4:11 PM, Arno Garrels wrote: > Fastream Technologies wrote: > > Sorry for the confusion. I meant there should be a new event with a > > reference String variable which would be set by the application > > programmer to set the NTLM domain before the NTLM message 1 is sent. > > > Or maybe there could just be a new String property which would be > > null by default (for the current domain). > > Are you still talking about the THttpServer? > > > > > What our users need from our reverse proxy is to be able to connect > > to NTLM domain #1 for a URL such as www.domain.com/app1 and NTLM > > domain #2 for a URL such as www.domain.com/app2. It could be some > > other HTTP domain as well (multi-homed). So we need a flexible > > solution such as the one I described. > > That sounds more like changes of the THttpCli. > > Is the server-side in your proxy authenticating the clients? > > Unfortunately my cristal ball is still under repair. > > -- > Arno Garrels > > > > > Regards, > > > > SZ > > > > On Thu, Dec 16, 2010 at 3:21 PM, Arno Garrels > > wrote: > > > >> Fastream Technologies wrote: > >>> Anybody else who need this feature want to be a sponsor for it? As I > >>> said we offer $180 if it could be completed until January 1st. > >> > >>> Anybody else who need this feature want to be a sponsor for it? As > >>> I said we offer $180 if it could be completed until January 1st. > >> > >> > >> Your offer was: > >> > >>> I thought I should have made our offer more concrete. We would like > >>> to offer $180 to a coder who can make the ICS code advancement so > >>> that an event with a reference variable called NTLMDomain would > >>> return the NTLM domain to authenticate against after the request is > >>> received for HTTPS server. Anybody interested should contact me > >>> from ga...@fastream.com. We can pay with Paypal. > >> > >> > >> I wonder what you mean by "feature"? Just "returning" the target > >> domain is an > >> easy task. At least you should be able to phrase the task correctly > >> or pay somebody else to do it for you. > >> > >> -- > >> Arno Garrels > >> -- > >> To unsubscribe or change your settings for TWSocket mailing list > >> please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket > >> Visit our website at http://www.overbyte.be > -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Fastream Technologies wrote: > Sorry for the confusion. I meant there should be a new event with a > reference String variable which would be set by the application > programmer to set the NTLM domain before the NTLM message 1 is sent. > Or maybe there could just be a new String property which would be > null by default (for the current domain). Are you still talking about the THttpServer? > > What our users need from our reverse proxy is to be able to connect > to NTLM domain #1 for a URL such as www.domain.com/app1 and NTLM > domain #2 for a URL such as www.domain.com/app2. It could be some > other HTTP domain as well (multi-homed). So we need a flexible > solution such as the one I described. That sounds more like changes of the THttpCli. Is the server-side in your proxy authenticating the clients? Unfortunately my cristal ball is still under repair. -- Arno Garrels > > Regards, > > SZ > > On Thu, Dec 16, 2010 at 3:21 PM, Arno Garrels > wrote: > >> Fastream Technologies wrote: >>> Anybody else who need this feature want to be a sponsor for it? As I >>> said we offer $180 if it could be completed until January 1st. >> >>> Anybody else who need this feature want to be a sponsor for it? As >>> I said we offer $180 if it could be completed until January 1st. >> >> >> Your offer was: >> >>> I thought I should have made our offer more concrete. We would like >>> to offer $180 to a coder who can make the ICS code advancement so >>> that an event with a reference variable called NTLMDomain would >>> return the NTLM domain to authenticate against after the request is >>> received for HTTPS server. Anybody interested should contact me >>> from ga...@fastream.com. We can pay with Paypal. >> >> >> I wonder what you mean by "feature"? Just "returning" the target >> domain is an >> easy task. At least you should be able to phrase the task correctly >> or pay somebody else to do it for you. >> >> -- >> Arno Garrels >> -- >> To unsubscribe or change your settings for TWSocket mailing list >> please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket >> Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Sorry for the confusion. I meant there should be a new event with a reference String variable which would be set by the application programmer to set the NTLM domain before the NTLM message 1 is sent. Or maybe there could just be a new String property which would be null by default (for the current domain). What our users need from our reverse proxy is to be able to connect to NTLM domain #1 for a URL such as www.domain.com/app1 and NTLM domain #2 for a URL such as www.domain.com/app2. It could be some other HTTP domain as well (multi-homed). So we need a flexible solution such as the one I described. Regards, SZ On Thu, Dec 16, 2010 at 3:21 PM, Arno Garrels wrote: > Fastream Technologies wrote: > > Anybody else who need this feature want to be a sponsor for it? As I > > said we offer $180 if it could be completed until January 1st. > > > Anybody else who need this feature want to be a sponsor for it? As I said > we > > offer $180 if it could be completed until January 1st. > > > Your offer was: > > > I thought I should have made our offer more concrete. We would like to > offer > > $180 to a coder who can make the ICS code advancement so that an event > with > > a reference variable called NTLMDomain would return the NTLM domain to > > authenticate against after the request is received for HTTPS server. > Anybody > > interested should contact me from ga...@fastream.com. We can pay with > > Paypal. > > > I wonder what you mean by "feature"? Just "returning" the target domain is > an > easy task. At least you should be able to phrase the task correctly or pay > somebody else to do it for you. > > -- > Arno Garrels > -- > To unsubscribe or change your settings for TWSocket mailing list > please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket > Visit our website at http://www.overbyte.be > -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Fastream Technologies wrote: > Anybody else who need this feature want to be a sponsor for it? As I > said we offer $180 if it could be completed until January 1st. > Anybody else who need this feature want to be a sponsor for it? As I said we > offer $180 if it could be completed until January 1st. Your offer was: > I thought I should have made our offer more concrete. We would like to offer > $180 to a coder who can make the ICS code advancement so that an event with > a reference variable called NTLMDomain would return the NTLM domain to > authenticate against after the request is received for HTTPS server. Anybody > interested should contact me from ga...@fastream.com. We can pay with > Paypal. I wonder what you mean by "feature"? Just "returning" the target domain is an easy task. At least you should be able to phrase the task correctly or pay somebody else to do it for you. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Anybody else who need this feature want to be a sponsor for it? As I said we offer $180 if it could be completed until January 1st. Regards, SZ On Wed, Dec 15, 2010 at 5:59 PM, Maurizio Lotauro wrote: > Scrive Arno Garrels : > > > Arno Garrels wrote: > > > Arno Garrels wrote: > > >> Maurizio Lotauro wrote: > > >>> Scrive Arno Garrels : > > >>> > > Looks like it's not possible with current THttpCli: > > >>> > > >>> [...] > > >>> > > >>> Have you tried adding the domain to the name as dom...@user? > > >>> Sometime I need to do so to get it working. > > >> > > > > > >> That doesn't work currently with the THttpCli, > > > > > > Most likely you are right and I was wrong. That works for me as well, > > > at least against a simple workgroup server. I'm not able to test > > > against a multi-domain server. > > > > Looks like both were right, since it depends on the NTLM version :) > > Well done Arno! :-) > > Since I used it long time ago I remebered wrong. It was domain\user. > I had a strange situation by the customer. Some user need to include the > domain > and some other not. And for the people that works without domain doesn't > with > the domain. Since it works in one way or in the other I never mind ;-) > The authentication was used for the proxy (an ISA server). > > Bye, Maurizio. > > > This mail has been sent using Alpikom webmail system > http://www.alpikom.it > > -- > To unsubscribe or change your settings for TWSocket mailing list > please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket > Visit our website at http://www.overbyte.be > -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Scrive Arno Garrels : > Arno Garrels wrote: > > Arno Garrels wrote: > >> Maurizio Lotauro wrote: > >>> Scrive Arno Garrels : > >>> > Looks like it's not possible with current THttpCli: > >>> > >>> [...] > >>> > >>> Have you tried adding the domain to the name as dom...@user? > >>> Sometime I need to do so to get it working. > >> > > > >> That doesn't work currently with the THttpCli, > > > > Most likely you are right and I was wrong. That works for me as well, > > at least against a simple workgroup server. I'm not able to test > > against a multi-domain server. > > Looks like both were right, since it depends on the NTLM version :) Well done Arno! :-) Since I used it long time ago I remebered wrong. It was domain\user. I had a strange situation by the customer. Some user need to include the domain and some other not. And for the people that works without domain doesn't with the domain. Since it works in one way or in the other I never mind ;-) The authentication was used for the proxy (an ISA server). Bye, Maurizio. This mail has been sent using Alpikom webmail system http://www.alpikom.it -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
So it still needs some work before the beta testing. AFAIU, if it is just one message to be modified, then it should not be much difficult to write a generic code to cover all NTLM versions. SZ On Tue, Dec 14, 2010 at 10:22 AM, Arno Garrels wrote: > Arno Garrels wrote: > > Arno Garrels wrote: > >> Maurizio Lotauro wrote: > >>> Scrive Arno Garrels : > >>> > Looks like it's not possible with current THttpCli: > >>> > >>> [...] > >>> > >>> Have you tried adding the domain to the name as dom...@user? > >>> Sometime I need to do so to get it working. > >> > > > >> That doesn't work currently with the THttpCli, > > > > Most likely you are right and I was wrong. That works for me as well, > > at least against a simple workgroup server. I'm not able to test > > against a multi-domain server. > > Looks like both were right, since it depends on the NTLM version :) > http://davenport.sourceforge.net/ntlm.html#nameVariations > > -- > Arno Garrels > > > > -- > To unsubscribe or change your settings for TWSocket mailing list > please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket > Visit our website at http://www.overbyte.be > -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Is there any way to force NTLM toauthenticateagainstagiven AD domain?
Arno Garrels wrote: > Arno Garrels wrote: >> Maurizio Lotauro wrote: >>> Scrive Arno Garrels : >>> Looks like it's not possible with current THttpCli: >>> >>> [...] >>> >>> Have you tried adding the domain to the name as dom...@user? >>> Sometime I need to do so to get it working. >> > >> That doesn't work currently with the THttpCli, > > Most likely you are right and I was wrong. That works for me as well, > at least against a simple workgroup server. I'm not able to test > against a multi-domain server. Looks like both were right, since it depends on the NTLM version :) http://davenport.sourceforge.net/ntlm.html#nameVariations -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be