Re: IIS Authentication Methods

From: Lisa Cozzens [MSFT] (lcozzens@online.microsoft.com)
Date: 03/18/03 

From: lcozzens@online.microsoft.com (Lisa Cozzens [MSFT])
Date: Mon, 17 Mar 2003 23:27:19 GMT

Yes, if you open those ports on the firewall, NTLM should work... unless
there's a proxy server sitting somewhere else between the client and the
server. For example, many corporations have proxy servers set up, so
employees coming from those corporations will have to pass through a proxy
server to get to your IIS server. If the corporation's proxy server doesn't
support NTLM, those employees won't be able to authenticate. In that case,
there's nothing you can do -- that proxy server is outside of your control.

Lisa

--------------------
> From: "BB" <Bernard_at_3exp.com>
> References: <00f301c2e804$ce4e8200$a401280a@phx.gbl>
<0ednGnA6CHA.2312@cpmsftngxa08.phx.gbl>
<ughB84C6CHA.2368@TK2MSFTNGP10.phx.gbl>
<abwKw$Q6CHA.2252@cpmsftngxa08.phx.gbl>
> Subject: Re: IIS Authentication Methods
> Date: Thu, 13 Mar 2003 11:34:06 +0800
> Lines: 95
> Organization: 3exp - Bernard Cheah
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.3718.0
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3718.0
> Message-ID: <eBMfoFR6CHA.2644@TK2MSFTNGP11.phx.gbl>
> Newsgroups: microsoft.public.inetserver.iis.security
> NNTP-Posting-Host: 203.115.210.205
> Path: cpmsftngxa06!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
> Xref: cpmsftngxa06 microsoft.public.inetserver.iis.security:16287
> X-Tomcat-NG: microsoft.public.inetserver.iis.security
>
> Yes, based on this kb
> INFO: How IIS Authenticates Browser Clients
> http://support.microsoft.com/?id=264921
>
> My concern here is firewall. that NTLM doesn't support
> proxy and netscape and certain internet devices.
> how about firewall ? if I can configure firewall for the...
>
> How to Configure a Firewall for Domains and Trusts
> http://support.microsoft.com/?id=179442
>
> Am I right to say that - NTLM will work on this ?
> since the user token able to pass-through the fw.
>
> Rgds.
>
>
>
> "Lisa Cozzens [MSFT]" <lcozzens@online.microsoft.com> wrote in message
> news:abwKw$Q6CHA.2252@cpmsftngxa08.phx.gbl...
> > That's not correct. What happens is that the browser first tries to
> > authenticate anonymously. IIS of course rejects that request and sends
> back
> > a 401.2 "Login failed due to server configuration." In that response, it
> > also sends one or more WWW-Authenticate headers stating which
> > authentication mechanisms it supports. The browser selects from that
list
> > and sends the credentials over using the selected mechanism.
> >
> > So if you have only Integrated authentication enabled, IIS will *not*
send
> > a WWW-Authenticate: Basic header. When Netscape receives the list of
> > supported authentication mechanisms, it will realize that it doesn't
> > support any of them and just return the 401.2 error in the browser to
the
> > user. Netscape will *not* try to send any authentication information.
> >
> > Lisa
> >
> > --------------------
> > > From: "Stephen L Nicoud" <nicouds@hotmail.com>
> > > References: <00f301c2e804$ce4e8200$a401280a@phx.gbl>
> > <0ednGnA6CHA.2312@cpmsftngxa08.phx.gbl>
> > > Subject: Re: IIS Authentication Methods
> > > Date: Tue, 11 Mar 2003 18:31:18 -0500
> > > Lines: 17
> > > MIME-Version: 1.0
> > > Content-Type: text/plain;
> > > charset="iso-8859-1"
> > > Content-Transfer-Encoding: quoted-printable
> > > X-Priority: 3
> > > X-MSMail-Priority: Normal
> > > X-Newsreader: Microsoft Outlook Express 6.00.2720.3000
> > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> > > Message-ID: <ughB84C6CHA.2368@TK2MSFTNGP10.phx.gbl>
> > > Newsgroups: microsoft.public.inetserver.iis.security
> > > NNTP-Posting-Host: ip68-100-135-136.nv.nv.cox.net 68.100.135.136
> > > Path:
> >
>
cpmsftngxa08.phx.gbl!cppssbbsa01.microsoft.com!news-out.cwix.com!newsfeed.cw
> >
>
ix.com!newsengine.sol.net!newsfeeds.sol.net!newsfeed.news2me.com!border1.nnt
> >
>
p.aus1.giganews.com!nntp.giganews.com!sjc70.webusenet.com!news.webusenet.com
> > !cyclone.bc.net!msrtrans1!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> > > Xref: cpmsftngxa08.phx.gbl
> microsoft.public.inetserver.iis.security:16284
> > > X-Tomcat-NG: microsoft.public.inetserver.iis.security
> > >
> > > > When you use Netscape to access a site with both authentication
> methods
> > > > enabled, Netscape will use Basic authentication, because it doesn't
> > > > understand Integrated authentication.
> > > Might be a good time to point out that some time ago one person in the
> > newsgroups claimed to do a netmon on the messages between Netscape and
IIS
> > when on NT Challenge / Response is enabled on the IIS server. He
claimed
> > that Netscape responded by prompting the user for credentials which, if
> the
> > user provided them, it tried to send back via Basic Authentication. The
> > Netscape user is not successful in gaining access, but if true, this
would
> > mean that if you only employ NTCR (IWA) and if a valid user mistakenly
> uses
> > Netscape and provides credentials to the prompt, the username and
password
> > will go over the wire in clear text. If one uses SSL regardless of the
> > authentication mechanism chosen, then this would not be a problem.
> > >
> >
> > -----
> > Please do not send email directly to this alias. This is an online
> > account name for newsgroup participation only.
> >
> > This posting is provided "AS IS" with no warranties, and confers
> > no rights. You assume all risk for your use.
> >
> > ?2003 Microsoft Corporation. All rights reserved.
> >
>
>
>

-----
Please do not send email directly to this alias. This is an online
account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers
no rights. You assume all risk for your use.

© 2003 Microsoft Corporation. All rights reserved.

Relevant Pages

  • Re: IIS Authentication Methods
    ... For example, many corporations have proxy servers set up, so> employees coming from those corporations will have to pass through a proxy> server to get to your IIS server. ... If the corporation's proxy server doesn't> support NTLM, those employees won't be able to authenticate. ... >> Subject: Re: IIS Authentication Methods ... When Netscape receives the list of>>> supported authentication mechanisms, it will realize that it doesn't ...
    (microsoft.public.inetserver.iis.security)
  • Re: Authentication on MAC OS-10
    ... behind a firewall or proxy server. ... you may want to try the new Netscape as ... >>authenticate to a sharepoint services site. ... >> at the server is set to both Basic and Windows Authentication. ...
    (microsoft.public.sharepoint.windowsservices)
  • NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein
    ... possible attacks against a scenario wherein a proxy server is ... single TCP connection to the server among several clients. ... are attacks that make use of non-RFC HTTP requests (HTTP Request ... In connection oriented security, the authentication is associated ...
    (Bugtraq)
  • [Full-disclosure] NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein
    ... possible attacks against a scenario wherein a proxy server is ... single TCP connection to the server among several clients. ... are attacks that make use of non-RFC HTTP requests (HTTP Request ... In connection oriented security, the authentication is associated ...
    (Full-Disclosure)
  • Re: [fw-wiz] Static ARP firewall advice
    ... the new proxy server that I install will use authentication (ident ... that when I upgrade the firewall to the latest version of OBSD. ...
    (Firewall-Wizards)