Open phillipunzen opened 1 month ago
Please show me how the Caddyfile looks like. I want to see if the http_ntlm option is there or not.
Which os-caddy was your prior version and which version are you on now?
EDIT:
As a baseline, last time I tested it with Exchange 2019 and Outlook was when I evaluated NTLM again here: https://github.com/opnsense/plugins/pull/4072
That was after the Binary of Caddy has been updated to 2.8.4. So I tested it in os-caddy-1.5.7.
There hasn't been any difference with the build or with the template in that regard. So essentially there should not be a difference right now.
Sooo... This is a part from the Caddyfile:
# Reverse Proxy Domain: "623c2f46-e854-4811-ae7b-b1f103c01e6c"
*.petersen-nf.com {
@372ffa3f-9de1-4144-acb3-3ec2c6407d9c {
host outlook.petersen-nf.com
}
handle @372ffa3f-9de1-4144-acb3-3ec2c6407d9c {
handle {
reverse_proxy 192.168.10.14:443 {
transport http_ntlm {
tls
tls_insecure_skip_verify
tls_server_name outlook.phillipunzen.de
}
}
}
}
@96d079b9-d85c-4626-acab-75748bed9f09 {
host autodiscover.petersen-nf.com
}
handle @96d079b9-d85c-4626-acab-75748bed9f09 {
handle {
reverse_proxy 192.168.10.14:443 {
transport http_ntlm {
tls
tls_insecure_skip_verify
tls_server_name outlook.phillipunzen.de
}
}
}
}
}
import /usr/local/etc/caddy/caddy.d/*.conf
I use the OPNsense in 27.7_9 and os-caddy in 1.6.1. My OPNsense have no updates at this time...
I have just set up "Windows Authentication" in an ISS, and set it to NTLM, and protected the default ISS website with it.
Then I tested the authentication with NTLM and without NTLM in Caddy.
Without NTLM aktivated, the login mask appeared after each try.
With NTLM aktivated, I got authenticated.
So it should work essentially.
That means there is a configuration error here.
Can you open the Caddyfile /usr/local/etc/caddy/Caddyfile and turn this:
transport http_ntlm {
tls
tls_insecure_skip_verify
tls_server_name outlook....
}
Into this:
transport http_ntlm {
tls_insecure_skip_verify
}
After editing and saving the Caddyfile, issue a:
service caddy reloadssl
That will reload Caddy without regenerating the template. Afterwards test it again please.
I edit the caddyfile to your schema. I got the same error...
Hm, the OPNsense edit the Caddyfile after a reboot to the old version with tls activated. The config change is not saving...
Can you configure the server correctly for TLS.
Import the self signed exchange certificate, select it as TLS trust pool.
NTLM enabled
TLS enabled
TLS Trust Pool: Exchange Server certificate
TLS server name: SAN of the Exchange server certificate
TLS insecure skip verify DISABLED
Check out the docs: https://docs.opnsense.org/manual/how-tos/caddy.html#reverse-proxy-the-opnsense-webgui
I hope that works, if not, I don't have an exchange server I can test it with anymore. I only confirmed it working with IIS itself.
Important notices Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug I have pulled the OPNsense including caddy reverse proxy to the current version. Unfortunately, NTLM is not forwarded, which I need for the Outlook desktop clients that access my Exchange server.
Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)
To Reproduce Steps to reproduce the behavior:
Expected behavior I want to connect my Outlook Clients
Screenshots If applicable, add screenshots to help explain your problem.