Bug 39680

Summary: mod_proxy opens connections that disturb NTLM
Product: Apache httpd-2 Reporter: Olivier BOEL <ob>
Component: mod_proxyAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: P2    
Version: 2.2.0   
Target Milestone: ---   
Hardware: Sun   
OS: Solaris   
URL: http://alsaha2.fares.net/sahat/.ee6b2ff

Description Olivier BOEL 2006-05-30 06:23:45 UTC 
The following configuration works fine with Apache 2.0 :
- client : IE + Windows XP
- Reverse Proxy : Apache 2.0 running on solaris 9
- IIS (Windows) server with NTLM authentication enabled
When a protected page (via ACL on the IIS server) is accessed by the 
client, thanks to Windows integrated authentication, the page is 
displayed with any user intervention (user identification prompt).

Since Apache 2.2, user receives an identification prompt and, although 
the username/password he enters are correct, he is not authorized.

Looking at the network traffic, it seems that the NTLM authentication 
process is made of 3 requests.
Between the client and the RP, they use a single connection (same 
port).
Between the RP and the IIS server, they use a single connection if the 
RP is running on Apache 2.0; however, with Apache 2.2, the 3 requests 
use 3 different connections (3 ports), which make NTLM fail.
This problem is reproductible at will.
I tried the "ProxyPass keepalive=On" directive but it didn't help.


Is there a workaround?
Comment 1 Ruediger Pluem 2006-05-30 19:54:32 UTC 

*** This bug has been marked as a duplicate of 39673 ***