I have an internal IIS server running Dokuwiki. The server is configured to use Windows authentication (AD/NTLM/Kerb), which works fine internally, and as I would expect it to.
My Traefik instance is proxying to the Dokuwiki server so people can access it when off network. I didn't expect the NTLM SSO to work, even if they were using a domain joined device. However, a login prompt (which is being sent by the server, not Traefik) is presented (which is what I expected) and, after entering AD credentials, login fails with a Traefik 'Internal Server Error'. It seems like Traefik isn't passing the credentials, but I'm not sure why. The only logs I get are:
IP - - [06/Apr/2020:14:19:53 +0000] "GET / HTTP/2.0" 401 1293 "-" "-" 6341354 "itwiki_secure@file" "https://itwiki.FQDN" 2ms
IP - - [06/Apr/2020:14:19:53 +0000] "GET / HTTP/1.1" 500 21 "-" "-" 6341355 "itwiki_secure@file" "https://itwiki.FQDN" 1ms
A screenshot of what the login prompt looks like. On a non-NTLM/Kerb browser (like Firefox private mode) I get the same prompt internally and externally. Internally it works fine. Externally it does not.
and the IIS logs show a connection from the Traefik server, but not with the provided credentials.
When Windows auth is disabled on IIS, you get sent to the regular Dokuwiki login page via Traefik, which accepts the AD credentials perfectly.
[http.routers.itwiki] entryPoints = ["web"] rule = "Host(`itwiki.FQDN`)" service = "itwiki" middlewares = ["httpsredirect"] # itwiki HTTPS [http.routers.itwiki_secure] entryPoints = ["websecure"] rule = "Host(`itwiki.FQDN`)" service = "itwiki" [http.routers.itwiki_secure.tls] certResolver = "letsencrypt"` # ITWiki Service [http.services.itwiki.loadBalancer] [[http.services.itwiki.loadBalancer.servers]] url = "https://itwiki.FQDN"
I'm using HTTPS for the Service to prevent a 'Too Many Redirects' error. I have
insecureSkipVerify = True in the Global config also.
Is there some middleware or setting I'm missing somewhere for this to get passed through? I can't get the Dokuwiki server to default to it's own login page if Auth fails, so I need to get this login prompt sending credentials through Traefik properly.