Hi,
I've got the following setup:
IE7 on the desktop in a corporate environment, capable of Kerberos/NTLM authentication
IIS6 with integrated windows authentication (Kerberos/NTLM) enabled
Enfold Proxy (basically, URL-rewriting/proxying) plugin in IIS enabled, proxies to a Python web application (using Paste and WSGI)
This setup provides single sign on. IIS sets the X-Remote-User header to the NTLM username (e.g. DOMAIN\username), and my application knows how to use that to authenticate the current user.
Now, I want to proxy (to apply some transformations to the result) a remote application, namely Vivismo Velocity (a search engine). This runs in IIS6 on another machine on the local network.
I have used a transparent proxy (Paste#transparent_proxy) to basically make a connection to the remote machine that preserves all headers (including X-Remote-User) except HOST, and also sets X-Forwarded-For.
However, when the request reaches Velocity, it gives me a 401 unauthorized. I'm not in control over the Velocity box, but I can ask questions of those who are.
My guess is that Velocity (or perhaps the IIS server there) doesn't trust the X-Remote-User header from my web server. Does that sound reasonable? And if so, how can I configure IIS and/or Velocity to trust my server and pass through the authentication?
Cheers, Martin