Connect to SF that uses windows security

[dealboy]

Hi there,

I would like to use the traefic with SF provider but my use case has windows security enabled, not certificates.

I configured traefic to run under user account that has read access to the SF cluster, but it is not enough as the communication is http and no credentials are passed. (in the traefik logs I get an 401 unauthorized error when traefik tries to query SF for applications)

Is there a way to configure that?

thanks Yannis

[lawrencegripper]

Currently the fork doesn't include support for Windows Credentials.

Potentially we could test using something like https://github.com/Azure/go-ntlmssp in the provider to support NTLM auth. We're considering refactoring out the sf goclient into it's own package so this could sit under this work.

The toml config here could then be updated to include the credentials for the user.

@jjcollinge what do you think?

[jjcollinge]

@dealboy thanks for raising this issue - as @lawrencegripper mentioned, this is not a currently supported scenario. However, we are going to pick up this piece of work as part of our go SF SDK extraction #8.

[dealboy]

that's great, thanks guys! I will be watching the repo for changes!

minor comment: beyond setting credentials in toml config, consider (if possible) to also support integrated windows authentication based on the account that runs the traefik (client) service.

[lawrencegripper]

Np, thanks for trying out Traefik on SF!

I think using integrated security will be an order of magnitude more complex as we're working in golang which doesn't support it out of the box. I believe we'd need to be able to use SSPI API, as was attempted here or this library looks like it may enable it gssapi. Happy to consider it a stretch goal for further down the line, sound good?

[lyweilian]

Do you guys think there will be any movement on this enhancement soon? The only way I've been working around Windows Authentication is to write another WebAPI to run as an authorized user to proxy the calls from Traefik to Service Fabric's API.

[lawrencegripper]

Hi, I'm afraid there isn't currently any ongoing work on this issue. We've very much open to contributions if anyone would like to pick it up and start working on it though.