Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,976 questions
Azure API Management Self Hosted via NTLM Proxy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 89%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
Simon H
0
Reputation points
I am attempting to configure API Management Self Hosted in our Enterprise (running in Kubernetes). It needs to access the service endpoint via an Enterprise proxy, which uses NTLM authentication.
To do this, I have setup HTTPS_PROXY=http://username:password@proxyurl:80 as per https://learn.microsoft.com/en-us/azure/api-management/how-to-self-hosted-gateway-on-kubernetes-in-production
With this set, I can use curl from a shell within the container and successfully access the internet via the defined proxy.
However, when the Self Hosted gateway itself tries to start I get the following error: -
[ConfigurationApiUnreachable], exception: System.ComponentModel.Win32Exception (0x80090020): GSSAPI operation failed with error - An invalid name was supplied (Configuration file does not specify default realm).
It appears to me that it is trying to do something "clever" and expects Kerberos etc to be configured on the client.
When using curl etc, the username:password is passed directly to the proxy to authenticate, but in this case it appears that the API gateway (or I suspect, specifically the AspNet libraries on which it's built are).
I can "get round" this by setting up a CNTLM proxy and configuring the self hosted container to use that, but that's a somewhat less secure workaround so wondering if anyone has had similar and has a better way around this?
Thanks
{count} votes
-
Simon H 0 Reputation points
2024-07-04T08:48:59.5033333+00:00 So just to clarify this - I believe I need to be able to "force" the Self Hosted gateway to use BasicAuth - which our proxy supports, and is the default that curl uses.
To validate this, in the APIG container I set the proxy details:
/app $ export HTTPS_PROXY=http://USERNAME:PASSWORD@xyz.com:80If I do a regular curl, it works as expected: -
/app $ curl -svk https://www.google.co.uk * Uses proxy env variable HTTPS_PROXY == 'http://USERNAME:PASSWORD@xyz.com:80' * Host xyz.com:80 was resolved. * IPv6: (none) * IPv4: 1.2.3.4 * Trying 1.2.3.4:80... * Connected to xyz.com (1.2.3.4) port 80 * CONNECT tunnel: HTTP/1.1 negotiated * allocate connect buffer * Proxy auth using Basic with user 'USERNAME' * Establish HTTP proxy tunnel to www.google.co.uk:443 > CONNECT www.google.co.uk:443 HTTP/1.1 > Host: www.google.co.uk:443 > Proxy-Authorization: Basic XXXXXXXX > User-Agent: curl/8.5.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < Date: Thu, 04 Jul 2024 08:25:04 GMT < Proxy-Connection: Keep-Alive < Via: 1.1 xyz.com < Set-Cookie: XXXXXXXX < * CONNECT phase completed * CONNECT tunnel established, response 200 ...If I pass --proxy-any to curl I get: -
/app $ curl -svk https://www.google.co.uk --proxy-any * Uses proxy env variable HTTPS_PROXY == 'http://USERNAME:PASSWORD@xyz.com:80' * Host xyz.com:80 was resolved. * IPv6: (none) * IPv4: 1.2.3.4 * Trying 1.2.3.4:80... * Connected to xyz.com (1.2.3.4) port 80 * CONNECT tunnel: HTTP/1.1 negotiated * allocate connect buffer * Establish HTTP proxy tunnel to www.google.co.uk:443 > CONNECT www.google.co.uk:443 HTTP/1.1 > Host: www.google.co.uk:443 > User-Agent: curl/8.5.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 407 Proxy Authorization Required < Date: Thu, 04 Jul 2024 08:24:05 GMT < Proxy-Connection: keep-alive < Via: 1.1 xyz.com < Cache-Control: no-store < Content-Type: text/html < Content-Language: en < Proxy-Authenticate: Negotiate < Proxy-Authenticate: NTLM < Access-Control-Allow-Origin: * < Content-Length: 666 < Set-Cookie: XXXXXXXX < * Ignore 666 bytes of response-body * Proxy auth using NTLM with user 'USERNAME' * Establish HTTP proxy tunnel to www.google.co.uk:443 > CONNECT www.google.co.uk:443 HTTP/1.1 > Host: www.google.co.uk:443 > Proxy-Authorization: NTLM XXXXXXXX > User-Agent: curl/8.5.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 407 Proxy Authorization Required < Date: Thu, 04 Jul 2024 08:24:05 GMT < Proxy-Connection: keep-alive < Via: 1.1 xyz.com < Cache-Control: no-store < Content-Type: text/html < Content-Language: en < Proxy-Authenticate: NTLM XXXXXXXX < Content-Length: 666 < Set-Cookie: XXXXXXXX < * Ignore 666 bytes of response-body * Proxy auth using NTLM with user 'USERNAME' * Establish HTTP proxy tunnel to www.google.co.uk:443 > CONNECT www.google.co.uk:443 HTTP/1.1 > Host: www.google.co.uk:443 > Proxy-Authorization: NTLM XXXXXXXX > User-Agent: curl/8.5.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 407 Proxy Authorization Required < Date: Thu, 04 Jul 2024 08:24:05 GMT < Proxy-Connection: keep-alive < Via: 1.1 xyz.com < Cache-Control: no-store < Content-Type: text/html < Content-Language: en < Proxy-Authenticate: Negotiate < Proxy-Authenticate: NTLM * NTLM handshake rejected * Authentication problem. Ignoring this. < Access-Control-Allow-Origin: * < Content-Length: 666 < Set-Cookie: XXXXXXXX < * CONNECT tunnel failed, response 407 * Closing connectionSo it's offering NTLM and Negotiate as options and I believe this is why the gateway is trying this.
So, as the proxy does accept BasicAuth (per default curl behaviour), I need to know if there's a way to force this through configuration?
Thanks
Sign in to comment