如何通过反向代理启用Windows身份验证? [英] How to enable windows authentication through a reverse proxy?
问题描述
很抱歉,如果它是一个重复的,因为我不是一个安全,也不网络专家我可能已经错过了正确的行话来查找信息。
我工作的应用程序截获并修改网络浏览器和Web服务器之间的HTTP请求和响应(请参阅how截取并修改服务器端的HTTP响应?了解背景)。我决定实施在ASP.Net的反向代理的客户端请求转发到后端的HTTP服务器,转换链接和标题从响应到正确proxifiedURL,并发送已经提取相关信息后,响应客户端从响应。
它工作正常,除了验证部分:Web服务器默认使用NTLM身份验证,而只是通过反向代理转发请求和响应不允许用户进行身份验证的远程应用程序。无论是反向代理和Web应用程序在同一个物理机器上,并且在同一个IIS服务器(Windows Server 2008 / IIS 7,如果该事项)被执行。我试图在没有运气反向代理应用程序都启用和禁用认证。
我已经看过了关于它的信息,这似乎与双跳问题,这是我不明白。我的问题是:有没有办法通过使用NTLM反向代理进行身份验证的远程应用程序的用户?如果没有,是我可以用有替代身份验证方法?
即使你没有解决我的问题,只是指着我关于它的相关信息,帮助我走出迷茫的将是巨大的!
我发现这个问题是什么(这是NTLM):为了让浏览器要求其凭据用户,响应必须有一个401状态code。我的反向代理被转发到浏览器的响应,所以IIS被加入了标准的HTML code解释请求的页面无法访问这样$ P $从询问凭据pventing浏览器。
该问题是由当状态code是401移除响应内容解决了。与所有尊重我该回答说,几年前,我必须承认这显然是假的。问题是确实的解决后,当状态code是401,但它有没有做最初的问题删除响应内容..
事实是,Windows身份验证是为了验证人在本地Windows网络,在没有代理服务器是present甚至是必要的。
与NTLM身份验证的主要问题是,这个协议不进行身份验证HTTP会话,但底层的TCP连接,据我知道有没有办法从ASP code访问它。
我想尽代理服务器打破了NTLM身份验证。
Windows身份验证是舒适的用户,因为他永远不会需要输入密码,以任何应用程序可能在于您的Intranet,可怕的家伙的安全,因为有一个自动登录,甚至没有一个提示,如果该网站域名被信任的IE浏览器,赫然一个网络管理员,因为它融化的应用,传输层和网络层到一些杯的窗口球,而不是只是普通的http流量。Sorry if it is a duplicate, as I am not a security nor network expert I may have missed the correct lingo to find information.
I am working on an application to intercept and modify HTTP requests and responses between a web browser and a web server (see how to intercept and modify HTTP responses on server side? for the background). I decided to implement a reverse proxy in ASP.Net which forwards client requests to the back-end HTTP server, translates links and headers from the response to the properly "proxified" URL, and sends the response to the client after having extracted relevant information from the response.
It is working as expected, except for the authentication part: the web server uses NTLM authentication by default, and just forwarding requests and responses through the reverse proxy does not allow the user to be authenticated on the remote application. Both the reverse proxy and the web application are on the same physical machine and are executed in the same IIS server (Windows server 2008/IIS 7 if that matters). I tried both enabling and disabling authentication on the reverse proxy app with no luck.
I have looked for information about it, and it seems to be related to the "double-hop problem", which I do not understand. My question is: is there a way to authenticate the user on the remote application through the reverse proxy using NTLM? If there is none, are there alternative authentication methods I could use?
Even if you don't have a solution to my problem, just pointing me to relevant information about it to help me get out of the confusion would be great!
解决方案I found what the problem was (and it is NTLM): in order to have the browser asks the user for its credentials, the response must have a 401 status code. My reverse proxy was forwarding the response to the browser, so IIS was adding a standard HTML code to explain the requested page cannot be accessed thus preventing the browser from asking credentials. The problem was solved by removing the response content when the status code is a 401.
With all due respect I have for the one that answered that some years ago, I must admit this is plainly false. The problem was indeed solved AFTER removing the response content when the status code is a 401, but it had none to do with the initial problem.. The truth is that windows authentication was made to authenticate people over local windows networks, where no proxy server is present or even needed. The main problem with NTLM authentication is that this protocol does not authenticate the HTTP session but the underlying TCP connection, and as far as I know there is no way to access it from asp code. Every proxy server I tried broke NTLM authentication. Windows authentication is comfortable for an user because he won't ever need to enter your password to whatever application may lie in your intranet, frightening for a security guy because there is an auto-login without even a prompt if the site domain is trusted by IE, shocking for a network administrator because it melts the application, transport and network layer into some "windows ball of mug" instead of just plain http traffic.
这篇关于如何通过反向代理启用Windows身份验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
