Apache Reverse Proxy server and SSL NTLM SharePoint

apache-2.2ntlmreverse-proxysharepoint

I'm trying to set Apache as proxy server to an internal SharePoint server.

I have previously configured Apache to run as a proxy server to export internal webpages and web applications.

However, the Sharepoint is using SSL and NTLM authentication, and this is new to me 🙁

I have tried many options, the traffic seems to be forwared as I get the authentication popup window, but when I insert the user/pass, I get back to the same popup window.

Anybody has configured Apache to do so?

Here is a part of my httpd.conf:

<VirtualHost *:443>
    ServerName repository.out.com

    SSLProxyEngine On
    RequestHeader set Front-End-Https "On"

    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / https://sharepoint.in.com
    ProxyPassReverse / https://sharepoint.in.com

    CacheDisable *

    SetEnv force-proxy-request-1.0 1 
    SetEnv proxy-nokeepalive 1

    ErrorLog logs/jlanza_log
    CustomLog logs/jlanza_log common
</VirtualHost>

Best Answer

NTLM was not designed to work through Proxies (or in your case: reverse-proxies).

As with a single proxy, inserting a reverse proxy will cause NTLM authentication between the client browser and the Web server to cease functioning

(see http://support.microsoft.com/kb/198116/en-us)

However, there are workarounds:

  • In your case (where SSL is used) the module mod_proxy_connect might provide a solution, since it doesn't seem to terminate the http session on the reverse proxy.
  • I know that recent Versions of squid use a feature called "connection-pinning" to Proxy NTLM. I'm not sure if apache has a similar feature. You could just use squid instead of apache...
  • You might also want to consider changing some of the default values in Firefox to make NTLM work (see about:config -> apply Filter "NTLM")
  • Apart from that, changing the Authentication from NTLM to BASIC will probably solve all your problems. Since you are using SSL you won't even have to worry about someone sniffing your Passwords while using Basic_Auth.
Related Topic