troubles passing authentication from IIS 6 to Apache2

Aug 6, 2010 at 8:48 PM

Hello everyone,

First of - hats off for such a great tool and the fact that there is actually a great discussion board going here. Thanks' to everyone for providing this free tool and the contribution of your insights. Thank You!

Here is the scenario that I am fighting with:
I got a Microsoft Windows Server 2003 running IIS 6 on one machine that basically responds to all external http (80) requests. However, I have another Apache2 server running on my internal network that I would like for some people to have access to.

Thanks' to the documentation and the example files, I was able to configure a (basic) setup that makes the server accessible to the public. The Apache2 server is responding to the request and when selecting the "login" link, even a pop-up windows shows up asking for authentication information. However, it seems that the IIS 6 server is trying to authenticate the information rather than the Apache2 server.

ManagedFusion.Rewriter.txt:

#
#  Managed Fusion Url Rewriter
#  http://managedfusion.com/products/url-rewriter/
#
#  Developed by: Nick Berardi
#       Support: support@managedfusion.com
#
RewriteEngine on
RewriteLog "/Rewriter.log"
RewriteLogLevel 9

RewriteCond %{HTTP_HOST} ^subpage.mydomain.com
RewriteRule ^/subpage(.*) http://apache2/subpage$1 [P,NS]
RewriteRule ^/(.*) http://apache2/subpage$1 [P,NS]

 

Further, I copied the "Web.config" file from the Examples/WebApplication directory as is, only adding the line

<customErrors mode="Off"/>

after the <system.web> open statement to write error messages to the Rewriter.log file.

 

This is the output of the Rewriter.log:

2010-08-06T12:55:43 **********************************************************************************
2010-08-06T12:55:43 [Rewrite] Input: http://subpage.mydomain.com/subpage/webapp/login
2010-08-06T12:55:43 [Rule 0] Input: /subpage/webapp/login
2010-08-06T12:55:43 [Rule 0] Rule Pattern Matched
2010-08-06T12:55:43 [Condition 0] Input: subpage.mydomain.com
2010-08-06T12:55:43 [Condition 0]  Matched
2010-08-06T12:55:43 [Rule 0] Output: http://apache2/subpage/webapp/login
2010-08-06T12:55:43 [Rewrite] Proxy: http://apache2/subpage/webapp/login
2010-08-06T12:55:43 **********************************************************************************
2010-08-06T12:55:43 [Proxy] Request: http://apache2/subpage/webapp/login
2010-08-06T12:55:43 [Proxy] Error received from http://apache2/subpage/webapp/login: The remote server returned an error: (401) Unauthorized.
2010-08-06T12:55:43 [Proxy] System.Net.HttpWebResponse
2010-08-06T12:55:43 [Proxy] Received '401 Authorization Required'
2010-08-06T12:55:43 [Proxy] Response: http://subpage.mydomain.com/subpage/webapp/login
2010-08-06T12:55:43 [Proxy] Response is being buffered
2010-08-06T12:55:43 [Proxy] Responding '401 Authorization Required'
2010-08-06T12:55:43 **********************************************************************************

If somebody could assist with (detailed) instructions of what I would need to change to pass the authentication information from the pop-up window through to the Apache2 server, I would really apreciate it. Thanks' so much!

Best regards and good luck everyone,
Wolfgang

Aug 7, 2010 at 2:33 AM

Dang! - It seems like somebody else reported the same issue some time ago.

Ouch! That hurts! I was so excited after finding this page today. Hmmm, I guess I hit a road block and simply need to find a complete different solution. Too bad - still can't complain since it's all Open Source. I hope it will work well for others.

(FYI: I am using mod_digest on the Apache2 web server rather than simply mod_auth).

Coordinator
Aug 7, 2010 at 3:56 PM

Hi iXquisite,

I know we talked last night, but I want to post what we talked about as a reference for everybody else.  Because of how Digest authentication is secured, comared to basic, it doesn't work over a Proxy, because it relies on the request URL being part of the encoded authentication scheme.  And when you proxy a request you are essentially changing the request URL, so that is why the internal proxied server doesn't understand the authentication request.  Wikipedia has a great explanation of how Digest is constructed if you are interested in learning more.

Aug 9, 2010 at 2:36 AM

Hi nberardi,

Thank you for the followup and summary.

I have changed the authentication from Digest to Basic, using the following configuration

	<LocationMatch "/webapp/(.*/)?(.*/)?login">
		AuthType Basic
		AuthName Trac
		AuthUserFile /usr/share/webapp/webapp.htpasswd
		Require valid-user
		Order Allow,Deny
		Allow from all
	</LocationMatch>

And yes, just in case you are wondering: I have created a new webapp.htpasswd file. Everything runs fine on the target itself, but on the Windows 2003 Server with IIS 6 and IE 7.0 I still have the problem of having the login window pop up repeatedly three times asking for authentication and finally reporting a 401 error.

Here is the logfile:

2010-08-08T14:53:31 **********************************************************************************
2010-08-08T14:53:31 [Rewrite] Input: http://webapp.mydomain.com/webapp/login
2010-08-08T14:53:31 [Rule 0] Input: /webapp/login
2010-08-08T14:53:31 [Rule 0] Rule Pattern Matched
2010-08-08T14:53:31 [Condition 0] Input: webapp.mydomain.com
2010-08-08T14:53:31 [Condition 0]  Matched
2010-08-08T14:53:31 [Rule 0] Output: http://apache2/webapp/login
2010-08-08T14:53:31 [Rewrite] Proxy: http://apache2/webapp/login
2010-08-08T14:53:31 **********************************************************************************
2010-08-08T14:53:31 [Proxy] Request: http://apache2/webapp/login
2010-08-08T14:53:31 [Proxy] Error received from http://apache2/webapp/login: The remote server returned an error: (401) Unauthorized.
2010-08-08T14:53:31 [Proxy] System.Net.HttpWebResponse
2010-08-08T14:53:31 [Proxy] Received '401 Authorization Required'
2010-08-08T14:53:31 [Proxy] Response: http://webapp.mydomain.com/webapp/login
2010-08-08T14:53:31 [Proxy] Response is being buffered
2010-08-08T14:53:31 [Proxy] Responding '401 Authorization Required'
2010-08-08T14:53:31 **********************************************************************************

If I understand it correctly, somebody else reported that same issue with basic authentication and had an issue and you have actually created a ticket item. So I am wondering at this point if this is an issue with urlrewriter, or an issue with the configuration and setup.

For reference, the ticket that has been created about that same issue, if I am not mistaken - please correct me if I am wrong here:

http://urlrewriter.codeplex.com/workitem/10893?ProjectName=urlrewriter

Thank you so much for all of your help and insight!

Wolfgang

Coordinator
Aug 10, 2010 at 3:24 AM

I am working on identifying the problem.  

Aug 14, 2010 at 6:12 PM

Hi Nick,

I realize you put probably quite some time into fixing authentication using reverse proxy. Thanks for doing that. As far as I understand, you tested IIS v.? with IIS v.? using reverse proxy and authentication to work successfully, correct?

One of my top questions for you would be if you see the different login windows as well, when you access the reverse proxied site directly from the primary IIS machine's IE using its host name or IP address only vs. using the external address that includes the domain name most likely? (please see illustration below)

I downloaded your latest version and tested reverse proxy from IIS6 to Apache2, but unfortunately authentication still won't work. I am not sure where to start looking at this point. I can install some protocol tracing application to see what is being sent back and forth between IE7 on Windows 2003 Server connecting directly to the Apache2 server versus IE7 on Windows 2003 Server contacting IIS6 first and that server using reverse proxy to have the Apache2 server feedback the content/authentication.

For illustration purpose, I came up with a simple graphic that outlines what I am trying to accomplish.
Graphic of the two servers inside of the firewall but having issues passing authentication information correctly from the IIS6 server to Apache 2
(Important note: I just want to make clear that that I have tried everything from "userid", "userid@sub", "userid@authname", "sub\userid", but none of these options would work.)

I have no idea of how to trace of what info gets sent from one logon window versus the other to the Apache2 server when using reverse proxy. My last resort would be to use WireShark and figure that out. But that would make sense only if we can correct something in the code later.

My second most immediate question would be to understand the process, of what's going on behind the scene when the user clicks on the login link of the Apache2 hosted web site. IIS has to somehow relay the login info and I believe it can only do so when the ISAPI filter is in-between. Where I wanted to get with my question is to understand if the ISAPI rewrite filter using reverse proxy had the capability to strip the domain out of the login request information that is then being presented to the user. It seems to me that the login window presented by IIS is more a windows domain login window and intended for that, rather than a simple user name / password request that is then being relayed to the reverse proxy machine. The Windows domain login window seems to transmit authentication information differently that the Apache2 machine ultimately is not capable of resolving.

What are your thoughts?

If you have some idea, please let me know. Thank You!
Wolfgang

Aug 14, 2010 at 11:46 PM

OK, so I eliminated one more warning message. Now the public accessible portion of the web site works as perfect as could be using reverse proxy. As soon as the /sub/login link is being accessed, I get the following messages as part of my "Rewriter.log":

2010-08-14T16:13:36 **********************************************************************************
2010-08-14T16:13:36 [Rewrite] Input: http://sub.mydomain.com/sub/webapp/login
2010-08-14T16:13:36 [Rule 0] Input: /sub/webapp/login
2010-08-14T16:13:36 [Rule 0] Rule Pattern Matched
2010-08-14T16:13:36 [Condition 0] Input: sub.mydomain.com
2010-08-14T16:13:36 [Condition 0]  Matched
2010-08-14T16:13:36 [Rule 0] Output: http://apache2/sub/webapp/login
2010-08-14T16:13:36 [Rewrite] Proxy: http://apache2/sub/webapp/login
2010-08-14T16:13:36 **********************************************************************************
2010-08-14T16:13:36 [Proxy] Request: http://apache2/sub/webapp/login
2010-08-14T16:13:36 [Proxy] Error received from http://apache2/sub/webapp/login: The remote server returned an error: (401) Unauthorized.
2010-08-14T16:13:36 [Proxy] System.Net.HttpWebResponse
2010-08-14T16:13:36 [Proxy] Received '401 Authorization Required'
2010-08-14T16:13:36 [Proxy] Response: http://sub.mydomain.com/sub/webapp/login
2010-08-14T16:13:36 [Proxy] Response is being buffered
2010-08-14T16:13:36 [Proxy] Responding '401 Authorization Required'
2010-08-14T16:13:36 **********************************************************************************

This is the part of the config file that restricts access for the /login page:

	
	<LocationMatch "/sub(.*)login(.*)">
		AuthType Basic
		AuthName sub
		AuthUserFile /usr/share/trac/trac.htpasswd
		Require valid-user
		Order Allow,Deny
		Allow from all
	</LocationMatch>

With that I am now a bit puzzled of what else I could check into and change to make reverse proxy including basic authentication work from IIS6 to Apache2.

Thanks for all your insight, suggestions, comments, ideas!!!
Wolfgang

Coordinator
Aug 15, 2010 at 4:28 PM
Edited Aug 15, 2010 at 4:30 PM

A 401 Authorization Required is correct, that is the status code that prompts the browser to put up the logon box.  

Does a 401 actually make it out to your browser when you hit the external site?

P.S.  Everything besides a status code of 200 OK says it has received an error.  So you can ignore the error part and just look at the status code.

Aug 15, 2010 at 6:28 PM
nberardi wrote:

A 401 Authorization Required is correct, that is the status code that prompts the browser to put up the logon box.  

Does a 401 actually make it out to your browser when you hit the external site?

P.S.  Everything besides a status code of 200 OK says it has received an error.  So you can ignore the error part and just look at the status code.

Hi Nick,

The external site has a public and a protected area. The public area works just fine. All I get is 200 return codes, no errors, no warnings. In order to get to the protected area, I have a login page that is protected as well and causes the browser (IE) to put up the logon prompt. As shown above, the logon prompt for some reason looks different as soon as the URL in the browser contains the domain name as well, no matter if the login page is called locally on the IIS6 machine or externally. It appears to me that when the domain name (qualifier) remains as part of the URL, IIS6 prompts the browser to use a different login window. Not sure if I use all the correct terminology and if I see all the way through, but it sure looks like.

A 401 error code makes it to the browser (IE), once I have entered the login information three times "incorrectly", in other words, when the login information is not able to make it through to the Apache server correctly.

So this is the typical Error page IE would put up:


You are not authorized to view this page

You do not have permission to view this directory or page using the credentials that you supplied.
--------------------------------------------------------------------------------

Please try the following:

•Contact the Web site administrator if you believe you should be able to view this directory or page.
•Click the Refresh button to try again with different credentials.
HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.
Internet Information Services (IIS)

--------------------------------------------------------------------------------

Technical Information (for support personnel)

•Go to Microsoft Product Support Services and perform a title search for the words HTTP and 401.
•Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled Authentication, Access Control, and About Custom Error Messages.


I guess this looks all fine and is supposed to work as should. The only wild guess I have at this moment is that IIS just puts up a different logon window when it sees a fully qualified domain in the URL.

Any thoughts are very much appreciated. Thanks' for all of your help on this!

Coordinator
Aug 16, 2010 at 12:39 AM

Use fiddler to capture the requests for me, and then email them to me.

http://www.fiddler2.com/fiddler2/

Should at least be able to diagnose the problem then.  Because after all there is not magic with this, it is all just text going back and forth.