Reverse Proxy with 2 Levels of Authentication

Hi,

I'm trying to setup Apache2 as a reverse proxy for an Exchange 2003 server.

For a number of reasons (beyond my control) not all Exchange users have
strong passwords. In an ideal world, I'd simply disable their Exchange
"Outlook Web Access" privileges and get on with it. Unfortunately, I am
required to permit weak-password web access from within our organisation.

What I would like to do is have Apache sit in front of my Exchange server
and perform a first level authentication with a strong UserName/Password
that I can dictate. Once this has happened, users can access Exchange
simply by entering their weak UserName/Password as they would were they in
the office. On top of this, the system should also be secure enough so that
a carefully-formed URL can not bypass first level authentication. Finally,
access to Apache (from the outside world) must be SSL, but access to the
Exchange Server must be non-SSL.

I have been experimenting with Apache running on a SuSe box.

I can get directory authentication working OK. I can even get
authentication to a VirtualHost "Location" that acts as a proxy to the root
of my Exchange Servers; IIS.

My problems is that when I try authentication to a VirtualHost Location(s)
that acts as proxy to the 3 required Exchange directories (Exchange, ExchWeb
& Public), second layer authentication fails on the Exchange server.

Even though I get 2 authentication prompts and provide first and second
level credential respectively, the Exchange server log shows that I am
attempting to authenticate to Exchange using my first level credentials
rather than my second level credentials.

I think that my problem lies in the fact that I'm using the same AuthName
parameter for my first level authentication and then also my Exchange
"location". The reason that I have done this is to prevent external users
simply typing in the Exchange URL, thus bypassing first level
authentication. Is there a way of password-protecting the WHOLE server
without passing those credentials to a proxied host?

I don't see this as an Exchange-specific issue. I suspect that this will
happen to any back-end web sever that requires independent authentication.

I've read quite a few posts about the SSL/non-SSL aspect of my requirement
and am confident that portion can be made to work.

Any ideas or suggestions are welcome.

Davide,

Thanks for your response.

I'm going to try another approach. Exchange 2003 has a new feature called
"Forms-Based Authentication", that does not rely on browser authentication.

I am going to try and configure layer 1 authentication to be Apache using
browser-based and layer 2 authentication to be Exchange using forms-based.
On the down side, I have to tackle SSL sooner rather than later as FBA
requires SSL.

Regards,
Dean.


"Davide Bianchi" <davideyeahsure@onlyforfun.net> wrote in message
news:slrnd717g3.168.davideyeahsure@fogg.onlyforfun .net...
> On 2005-04-28, NoSpam <me@here.com> wrote:
> > Even though I get 2 authentication prompts and provide first and second
> > level credential respectively, the Exchange server log shows that I am
> > attempting to authenticate to Exchange using my first level credentials
> > rather than my second level credentials.
>
> Yes, that's the way the browser works. When Apache return the
> 'authentication required' error, the browser ask for authentication, then
> he sends the credentials provided by the user along with every subsequent
> request. So the same credentials are transferred trought the proxy to
> Exchange.
>
> > Any ideas or suggestions are welcome.
>
> The only solution I can think of would be to use a "local" page on the
> proxy with a frameset requesting the content to the exchange server, and
> then rewriting the content on the fly to avoid the 'direct url' approach
> (this is also know as http-screening). But I'm not sure how effective
would
> that be.
>
> Davide
>
> --
> Linux - It is now safe to turn on your computer.
> -- From a Slashdot.org post