Proxying IIS NTLM Authentication

[leon-andria]

I'm wondering if this work or not as when you got the windows prompt for login, you are not able to login and having continuously the login prompt indefinitely.
Does this is an know issue or there is a special configuration that we need to do in the proxy to make this work ?

[samsp-msft]

NTLM is not proxyable through YARP. The inbound connection from your client is independent of the connection made outbound by YARP to the destination server. The outbound connections are pooled between requests. NTLM is a connection based auth, so it would mean that the requests would be authenticated with the wrong users.

You can use NTLM to the proxy and have the proxy terminate the authentication. The destination would need to trust the proxy, and the proxy can add headers that identify the authenticated user and/or claim information that the destination would read from those headers.

[leon-andria]

Thank you for your quick reply. I think my title of the issue is misleading. Sorry for that.
It's not NTLM but Windows Authentication.

[Tratcher]

It's not NTLM but Windows Authentication.

The answer is the same, proxying Windows Authentication is not supported and is a non-goal.

[samsp-msft]

Could you explain the scenario in a bit more detail - what is running on the client and server, and what you want to do with the proxy in-between them. Do you "own" the client app or is it browser based? Do you have control over and can make changes to the server if necessary?

[samsp-msft]

Converting to a discussion as this seems to be more of a question rather than work item.