[jcifs] NTLM HTTP authentication & proxy notes

Marko Asplund marko.asplund at kronodoc.fi
Fri Nov 28 17:24:10 EST 2003


i've been integrating a jCIFS based NTLM HTTP authentication solution to
an existing web application and i thought i'd share some of the
experiences with the list. our problems were mainly related to HTTP
persistent connections and proxies.

Proxies were a cause of major headache in our project. NTLM HTTP
authentication won't work without HTTP Keep-Alive's and some proxies
don't properly respect Keep-Alive requests. we've deployed the
application in an environment with the following network configuration:

browser <==> TLS terminator hardware <==> HTTP reverse proxy <==> HTTP
reverse proxy <==> web application

at one point we were using Apache mod_ssl for doing TLS termination.
Apache v1.3 mod_ssl default configuration contains the following lines:
	SetEnvIf User-Agent ".*MSIE.*" \
		nokeepalive ssl-unclean-shutdown \
		downgrade-1.0 force-response-1.0

here we had to remove 'nokeepalive' and 'downgrade-1.0' parameters in
order to make Keep-Alive's work.

another issue was that an Apache mod_proxy based HTTP-HTTP reverse proxy
failed to do Keep-Alive. this turned out to be a bug in an ancient
mod_proxy version 1.3.19, upgrading to 1.3.28 fixed this problem.

hope this helps some of you,

best regards,
	aspa						http://www.kronodoc.fi/

More information about the jcifs mailing list