views:

2852

answers:

2

Hi,

  1. We have a SQUID reverse proxy and a MOSS 2007 portal. All sites are using NTLM.
  2. We cannot get it working with SQUID as a reverse proxy.

Any ideas where to start?

A: 

Can you switch to Kerberos instead of NTLM?

You're encountering the "Double-Hop Issue", whereby NTLM authentication cannot traverse proxies or servers.

This is outlined at this location: http://blogs.msdn.com/knowledgecast/archive/2007/01/31/the-double-hop-problem.aspx

And over here: http://support.microsoft.com/default.aspx?scid=kb;en-us;329986

Double-Hop Issue The double-hop issue is when the ASPX page tries to use resources that are located on a server that is different from the IIS server. In our case, the first "hop" is from the web browser client to the IIS ASPX page; the second hop is to the AD. The AD requires a primary token. Therefore, the IIS server must know the password for the client to pass a primary token to the AD. If the IIS server has a secondary token, the NTAUTHORITY\ANONYMOUS account credentials are used. This account is not a domain account and has very limited access to the AD.

The double-hop using a secondary token occurs, for example, when the browser client is authenticated to the IIS ASPX page by using NTLM authentication. In this example, the IIS server has a hashed version of the password as a result of using NTLM. If IIS turns around and passes the credentials to the AD, IIS is passing a hashed password. The AD cannot verify the password and, instead, authenticates by using the NTAUTHORITY\ANONYMOUS LOGON.

On the other hand, if your browser client is authenticated to the IIS ASPX page by using Basic authentication, the IIS server has the client password and can make a primary token to pass to the AD. The AD can verify the password and does authenticate as the domain user. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 264921 (http://support.microsoft.com/kb/264921/) How IIS authenticates browser clients

If switching to Kerberos is not an option, have you investigated the Squid NTLM project? http://devel.squid-cache.org/ntlm/

A: 

Hi,

Thanks for the answer. We already have SQUID 2.6 STABLE 12 setup. ...and at first sight NTLM does seem to be working. ...but it behaves randomly, works for some pages and not for others.

On looking at the SQUID log we found that SharePoint was not responding to requests forwarded by SQUID in some cases.

We should be looking to move to kerberos...thnks for the quick help.

SharePoint Newbie