RE: Mixed http2/1.1 Authentication from Mike Bishop on 2016-03-14 (ietf-http-wg@w3.org from January to March 2016)

From: Mike Bishop <Michael.Bishop@microsoft.com>
Date: Mon, 14 Mar 2016 18:15:05 +0000
To: Dennis Olvany <dennisolvany@gmail.com>, Ilari Liusvaara <ilariliusvaara@welho.com>
CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CH1PR03MB1916912B75171C53CFD258B787880@CH1PR03MB1916.namprd03.prod.outlook.com>

See https://www.ietf.org/archive/id/draft-montenegro-httpbis-multilegged-auth-01.txt for more on this. In short, multi-legged auth schemes don't mesh well with multiplexed requests. You can do some modifications to make this work, but the working group chose not to adopt this draft. Currently, Windows will fall back to HTTP/1.1 if either client or server attempt to use NTLM.

From: Dennis Olvany [mailto:dennisolvany@gmail.com]
Sent: Saturday, March 12, 2016 9:36 AM
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: ietf-http-wg@w3.org
Subject: Re: Mixed http2/1.1 Authentication

Thanks, Ilari. After further research, it looks like I may be running into the http2 incompatibility with ntlm. Is this limitation applicable to the mixed use case? Is anyone aware of a good write up which explains the ntlm incompatibility?

-Dennis
On Sat, Mar 12, 2016 at 11:44 AM Ilari Liusvaara <ilariliusvaara@welho.com<mailto:ilariliusvaara@welho.com>> wrote:
On Sat, Mar 12, 2016 at 04:16:14PM +0000, Dennis Olvany wrote:
> Hello,
>
> I am interested in understanding the interoperability of http
> authentication in a mixed http2/1.1 deployment. The use case is http2
> between client and load balancer (ssl offload), then http1.1 between load
> balancer and server. Authentication occurs at the server, not the load
> balancer. My understanding is that the authorization header is sent with
> every request, but perhaps this is not the case if the client is performing
> http2 header compression. It seems logical that it should be the
> responsibility of the intermediary to cache and transmit the header with
> each request. Does the standard stipulate the behavior of clients and
> intermediaries to support authentication in a mixed design? Are there any
> known limitations with such a design?

Basically, the header is logically sent in every request (that is to be
authenticated), even if header compression compresses it to zero space.

So if the load balancer can forward to multiple servers, it needs to
take the header compression context into account for each request.

-Ilari

Received on Monday, 14 March 2016 18:15:35 UTC