Hi, is it possible to setup Windows NTLM pass-through authentification so users didn't need to enter their passwords altogether?
LDAP plugin is working fine with our AD, but we want to have kind of a seamless experience
Sorry, no, this cannot be done. You can setup a proxy in front of CrushFTP doing this, and have the proxy pass a header to CrushFTP which crush will then trust for the user....but CrushFTP can't directly handle NTLM auth.
Seems like I'll need a 'webapp' rather than classic proxy here.
Considering that with NTLM auth the proxy won't have access to domain password, only some kind of hash, I'll need to handle that in webapp and generate some kind of password to handle over for CrushFTP, then pre-create that user in CrushFTP server and only then login with these new credentials.
Well, pity this isn't possible, I hoped it was just a feature of enterprise license
You would put a proxy in front that does the NTLM, no hash needed, that is all internal tot he NTLM. All the proxy does is provide a web header indicating the username that is authenticated. Auth happens at the proxy, and CrushFTP blindly trusts whatever the proxy says for authentication. Systems like "SiteMinder" work like this, they do the auth, and the services behind it just have to trust it.
Well, you were right, is is possible. After several hours spent googling around, at last I made it work.
If you're interested, all you need is IIS in ARR proxy mode and ISAPI Rewrite Lite from Helicon Tech. All of them free.
ISAPI Rewrite is required because there's no way to get user login with vanilla IIS ARR rewrite functionality. All request are passed alright, but you have only a base64-encoded block of NTLM authorization which you can't convert to anything useful.
Currently I set it up so CrushFTP would listen on localhost only, while IIS covers HTTP and HTTPS ports and forwards all requests to CFTP with added 'trusted' header containing user login.