tags:

views:

2852

answers:

2
Q: 

Has anyone been able to get SharePoint using NTLM working with SQUID as a reverse proxy?

Hi,

  1. We have a SQUID reverse proxy and a MOSS 2007 portal. All sites are using NTLM.
  2. We cannot get it working with SQUID as a reverse proxy.

Any ideas where to start?

A: 

Can you switch to Kerberos instead of NTLM?

You're encountering the "Double-Hop Issue", whereby NTLM authentication cannot traverse proxies or servers.

This is outlined at this location: http://blogs.msdn.com/knowledgecast/archive/2007/01/31/the-double-hop-problem.aspx

And over here: http://support.microsoft.com/default.aspx?scid=kb;en-us;329986

Double-Hop Issue The double-hop issue is when the ASPX page tries to use resources that are located on a server that is different from the IIS server. In our case, the first "hop" is from the web browser client to the IIS ASPX page; the second hop is to the AD. The AD requires a primary token. Therefore, the IIS server must know the password for the client to pass a primary token to the AD. If the IIS server has a secondary token, the NTAUTHORITY\ANONYMOUS account credentials are used. This account is not a domain account and has very limited access to the AD.

The double-hop using a secondary token occurs, for example, when the browser client is authenticated to the IIS ASPX page by using NTLM authentication. In this example, the IIS server has a hashed version of the password as a result of using NTLM. If IIS turns around and passes the credentials to the AD, IIS is passing a hashed password. The AD cannot verify the password and, instead, authenticates by using the NTAUTHORITY\ANONYMOUS LOGON.

On the other hand, if your browser client is authenticated to the IIS ASPX page by using Basic authentication, the IIS server has the client password and can make a primary token to pass to the AD. The AD can verify the password and does authenticate as the domain user. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 264921 (http://support.microsoft.com/kb/264921/) How IIS authenticates browser clients

If switching to Kerberos is not an option, have you investigated the Squid NTLM project? http://devel.squid-cache.org/ntlm/

 2008-09-24 09:56:47
A: 

Hi,

Thanks for the answer. We already have SQUID 2.6 STABLE 12 setup. ...and at first sight NTLM does seem to be working. ...but it behaves randomly, works for some pages and not for others.

On looking at the SQUID log we found that SharePoint was not responding to requests forwarded by SQUID in some cases.

We should be looking to move to kerberos...thnks for the quick help.

SharePoint Newbie  2008-09-24 11:33:56

related questions

Upgrading Sharepoint 3.0 to SQL 2005 Backend?
Webpart registration error in event log
Sharepoint COMException 0x81020037
Transactional Design Pattern
Deploying InfoPath forms to different SharePoint servers
Profiling/Optimizing (Sharepoint 2007) Web Parts
Retreiving the PC Name of a Client? (Windows Auth)
What's the best way to report errors from a SharePoint workflow?
How to get out parameters working in SharePoint workflows
Editing User Profile w/ Forms Authentication
WSS/MOSS Book
Creating a development environment for SharePoint.
Sharepoint Wikis
Have you used a wiki in your project or group?
Can I copy files to a Network Place from a script or the command line?
How do you deploy your SharePoint solutions?
SharePoint WSS 3.0 Integration with Mac OSX (either Safari or Firefox)
SharePoint - Connection String dialog box during FeatureActivated event
How can I improve the edit-compile-test loop when developing a SharePoint workflow?
Best ajax library for Sharepoint
Alternative Hostname for an IIS web site for internal access only
How to reference to multiple version assembly
MOSS SSP problem - Failed database logons from deleted SSP
Sharepoint: executing stsadm from a timer job + SHAREPOINT\System rights
Can ASP.NET AJAX partial rendering work inside a SharePoint 2007 application page?