Negotiation failure when using http proxying #312
Comments
cylon
changed the title
|
Is the negotiation NTLM or Kerberos? NTLM is a connection-oriented protocol, so you need to maintain the same connection throughout the negotiation process. |
|
It's using Kerberos, we've disabled NTLM, and a network trace confirms Kerberos. In WindowsAuthProviderImpl at line 104: continueContext = this.continueContexts.asMap().get(connectionId);It fails right after that if it's not the same connection. |
|
I think the issue is because the connectionId is the combination of ip address and port number of the proxy server and not the client server, so if multiple requests come in simultaneously from multiple clients in an interleaved fashion then I think the wrong continueContext gets used for authentication Ex: client 1 -------- proxyserver ------server client 2 -------- proxyserver ------server <---- connection 1 - challenge |
|
Right, but shouldn't the proxy be a 1:1 mapping to client's connections in terms of sockets opened? Is it serving multiple clients on the same outgoing connection? |
|
I see your point.. |
|
It appears that connections are pooled on the backend and may not be retained across requests. We see lots of requests succeed and then occasionally a new one is used mid handshake. I haven't found any configuration that would control that. |
When running tomcat behind IIS or apache using http proxying, authentication randomly fails. When it fails multiple connections are being used during the negotation. Is there a way that waffle can deal with this?
client -------- server
connection 1
request ---->
<---- challenge
connection 2
handshake ----> waffle can't find connection
<----- reject
The text was updated successfully, but these errors were encountered: