I am trying to determine how to do a health check against backend servers in HAProxy with NTLM authentication (Windows IIS servers). As I understand, it is 'multistage' in that it will do a 'basic' auth first, return a 401, and then try again with a NTLM Auth header to return the '200' code (assuming correct credentials).
This is baked into the http monitor in f5's BIGIP as I recently learned, it tries basic auth first, and then failing that attempts NTLM. Is there a way to mimick this in HA-Proxy?
I've tried configuring the http-check with a Basic authorization header but clearly this will not work. I can do a curl specifying '--ntlm' and '-H' specifying the host header and it returns the page, so I know what I have is correct.
Related
I'm implementing a webdav server. I have everything working fine for anonymous access, but now I want to require authentication.
When a user clicks on a link to open the word document (I'm using the ms-word: protocol), Word sends a couple of HTTTP OPTIONS requests, first with an empty Bearer value in the Authorization header, to which the server responds with a WWW-Authenticate header, and everything is working correctly (after the user authenticates with Word, word sends a follow-up HTTP OPTIONS request with a token value in the header).
However, when Word requests the file itself (using HTTP GET), there is no Authorization header. I've tried having the server respond with a 401 status, but when it does, Word simply gives up and informs the user the file can't be opened.
What's even more troubling is that, from what I can tell, Word sends the GET and OPTIONS requests in parallel, so at the time it sends the GET request, it has no idea that it will be authenticating with the OPTIONS request.
Not sure if this will always be the answer to the issues I described above, but I think it's a combination of problems I was running into. Here's the basics of how I got around the issues I was having.
Delete Office Webdav cache. Office caches information about Webdav servers pretty aggressively. The cache is found in the registry as this location: Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\X\Common\Internet\Server Cache where X is the current version of Office you have installed. Delete all subkeys that have your server's URL.
Do not use localhost or 127.0.0.1 for your Webdav. Office seems to behave differently if it knows that your server is local. This may mean needing to add entries into your hosts file to "trick" it into thinking your site is on a remote server.
If using some sort of federated auth (Azure AD, Google, Facebook, etc.) and you are using bearer tokens, Office needs to be told where to go to authenticate, this is done by responding to non-authenticated requests with a 401 status and the WWW-Authenticate header value being set to something like this (I can confirm this works for Azure AD):
Bearer authorization_uri="https://login.microsoftonline.com/[Tenant ID]/oauth2/authorize",trusted_issuers="https://login.microsoftonline.com/*/",client_id="[Azure AD App Client ID]"
Even with the client ID set, it seems like the Application ID URI in the app registration needs to match the server's base URL (protocol + host + port)
I have been trying to configure access to an on-premise Web API from a native application using this walkthrough: How to enable native client applications to interact with proxy applications
According to the walkthrough,
"To support native client applications, Application Proxy accepts Azure AD-issued tokens that are sent in the header."
However, regardless of the tokens that I send in the request header, the proxy always responds with HTTP 302 and redirects me to the sign in page.
Has anyone been able to pass Azure app proxy pre-authentication using a token?
We have a web application (netcore) configured to use Windows authentication it was working fine, but now we dont know why iis sends basic authentication header even it is has configured windows authentication.
Any idea why?
An answer to myself, the error was related to a blocked user.
I have a Node.JS service running, which I am trying to connect from a different system. Currently using POSTMAN to test the service. Postman gives an error - There was an error connecting to https://lddbbtx.wdf......./index.xsjs.
Now, I retried the request by disabling 'SSL certification verification' option in Postman and it seems to work. I can receive the response from the service.
But in production, we will be using Recast.AI to connect to this service. In Recast, they provide a means to set Headers for the GET/POST requests . SO , I wanted to know, is there a way to disable the SSL verification in the header of the request ?
... is there a way to disable the SSL verification in the header of the request ?
Validation of the server certificate is done at the client side. It is done during the TLS handshake and thus before any HTTP request is send. Disabling validation cannot be triggered by the server since otherwise a man in the middle attacker could simply instruct the victim to not check the certificate.
In general - disabling validation or even part of the validation (like checking that hostname in URL matches certificate) is a very bad idea. With disabled certificate validation the transport is still encrypted but the client does not check that it actually communicates with the expected server. This way an attacker could do a simple man in the middle attack to impersonate the server and thus sniff and also modify all traffic.
I am scripting for a Sharepoint application in its Production environment which uses NTLM Authorization. The recording is working fine, but I am facing 401:Unauthorized error while playback of the same script. Since this is an NTLM authorization application, the launch of the application redirects to the Homepage without asking for the login credentials. The first HTTP request of the script which is a GET Method throws 401 Unauthorized error. I've used HTTP Authorization Manager, HTTP Cookie Manager, HTTP Cache Manager. The same config elements are used in the scripts for UAT env which works fine and such issue is never experienced in the UAT environment.
Please feel free to suggest if you have any idea on this issue.
Thanks.
HTTP Authorization Manager should have "Domain" field populated and matching your environment for NTLM authentication along with username and password.
See Windows Authentication with Apache JMeter guide for more details.