Wednesday, June 11, 2008

Using NTLM Authentication with CFHTTP

Anyone who has done a significant amount of work within company intranets in a microsoft network environment will at some point have lamented the lack of the NTLM support in CFHTTP and the administrator scheduled task and system probe functions.

Intranets within microsoft environments have always had a key advantage - that when webservers are set to use integrated security, no user logins are required. Clients using Internet Explorer are automatically authenticated, which is a usability and security benefit of immense value. This is due to NTLM authentication, which automatically secures HTTP requests when webservers or web hosted files are set to use integrated security. This is easily done on IIS and achievable on Apache as well. However the ColdFusion tag CFHTTP - the out of the box HTTP client - does not support NTLM authentication, which means that typically special measures have been required to allow HTTP to be viable communication and information gathering tool for ColdFusion servers in MS environments. This problem affects the HTTP requests sent by native ColdFusion Administrator functions such as Scheduled Tasks and System probes as well.

There are two common approaches to allowing HTTP in NTLM and integrated security environments:

  • Use an alternative CFHTTP implementation. For example the CFX_HTTP5 custom tag supports NTLM and provides a couple of extra features as well. It is also possible to roll your own implementation using COM objects or .NET assemblies. Of course solving the CFHTTP issue does not help with CF Administrator Scheduled Tasks or System probes.
  • Change the security around specific resources in an adhoc fashion to Basic or another less security setting. With many applications using a 'front-end controller' pattern this can mean creating a proxy page. The disadvantage of this approach the complication to your code base, the overall poorer security outcome and the fact that at times you do not have this level administration access to other internal resources you wish to connect to.

While installing Trac the other day (a long an drawn out process I should blog about) I was reminded of another, more elegant solution - Using a dedicated NTLM-aware proxy server. A dedicated proxy server can convert your CFHTTP basic authentication to NTLM and since it is dedicated it can be configured to only accept requests from your ColdFusion server machines. The proxy server required can be lightweight and some circumstances can easily share your ColdFusion server machine.

All ColdFusion HTTP services (CFHTTP, Scheduled Tasks and System Probes) support the definition of proxy server settings, so your end point URLs can be maintained and on the receiving end your can use the automatic authentication to determine with confidence the end user (the CF server) that is accessing the resource.

The specific NTLM-aware proxy server that I experimented with was a Python based server called NTLM Authorization Proxy Server. Other implementation surely exist however, which I'll endeavor to do some more research on and blog about here.

Overall I think the usage of an NTLM proxy service as I describe is a more elegant and consistent approach which minimises the impact of this unfortunate issue on your code base and your approaches to security. Let me know what you think.

1 comment:

  1. Railo 4 now supports this
    http://webonix.net/post/railo-can-do-ntlm-authentication

    ReplyDelete