Re: IIS Authentication Methods

From: BB (Bernard_at_3exp.com)
Date: 03/18/03 

From: "BB" <Bernard_at_3exp.com>
Date: Tue, 18 Mar 2003 10:11:20 +0800

Thanks Lisa.

I assumed it should work too. 

-- 
Regards,
Bernard
http://support.microsoft.com/
"Lisa Cozzens [MSFT]" <lcozzens@online.microsoft.com> wrote in message
news:fppy5yN7CHA.2768@cpmsftngxa06...
> Yes, if you open those ports on the firewall, NTLM should work... unless
> there's a proxy server sitting somewhere else between the client and the
> server. For example, many corporations have proxy servers set up, so
> employees coming from those corporations will have to pass through a proxy
> server to get to your IIS server. If the corporation's proxy server
doesn't
> support NTLM, those employees won't be able to authenticate. In that case,
> there's nothing you can do -- that proxy server is outside of your
control.
>
> Lisa
>
> --------------------
> > From: "BB" <Bernard_at_3exp.com>
> > References: <00f301c2e804$ce4e8200$a401280a@phx.gbl>
> <0ednGnA6CHA.2312@cpmsftngxa08.phx.gbl>
> <ughB84C6CHA.2368@TK2MSFTNGP10.phx.gbl>
> <abwKw$Q6CHA.2252@cpmsftngxa08.phx.gbl>
> > Subject: Re: IIS Authentication Methods
> > Date: Thu, 13 Mar 2003 11:34:06 +0800
> > Lines: 95
> > Organization: 3exp - Bernard Cheah
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > X-Newsreader: Microsoft Outlook Express 6.00.3718.0
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3718.0
> > Message-ID: <eBMfoFR6CHA.2644@TK2MSFTNGP11.phx.gbl>
> > Newsgroups: microsoft.public.inetserver.iis.security
> > NNTP-Posting-Host: 203.115.210.205
> > Path: cpmsftngxa06!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
> > Xref: cpmsftngxa06 microsoft.public.inetserver.iis.security:16287
> > X-Tomcat-NG: microsoft.public.inetserver.iis.security
> >
> > Yes, based on this kb
> > INFO: How IIS Authenticates Browser Clients
> > http://support.microsoft.com/?id=264921
> >
> > My concern here is firewall. that NTLM doesn't support
> > proxy and netscape and certain internet devices.
> >  how about firewall ? if I can configure firewall for the...
> >
> > How to Configure a Firewall for Domains and Trusts
> > http://support.microsoft.com/?id=179442
> >
> > Am I right to say that - NTLM will work on this ?
> > since the user token able to pass-through the fw.
> >
> > Rgds.
> >
> >
> >
> > "Lisa Cozzens [MSFT]" <lcozzens@online.microsoft.com> wrote in message
> > news:abwKw$Q6CHA.2252@cpmsftngxa08.phx.gbl...
> > > That's not correct. What happens is that the browser first tries to
> > > authenticate anonymously. IIS of course rejects that request and sends
> > back
> > > a 401.2 "Login failed due to server configuration." In that response,
it
> > > also sends one or more WWW-Authenticate headers stating which
> > > authentication mechanisms it supports. The browser selects from that
> list
> > > and sends the credentials over using the selected mechanism.
> > >
> > > So if you have only Integrated authentication enabled, IIS will *not*
> send
> > > a WWW-Authenticate: Basic header. When Netscape receives the list of
> > > supported authentication mechanisms, it will realize that it doesn't
> > > support any of them and just return the 401.2 error in the browser to
> the
> > > user. Netscape will *not* try to send any authentication information.
> > >
> > > Lisa
> > >
> > > --------------------
> > > > From: "Stephen L Nicoud" <nicouds@hotmail.com>
> > > > References: <00f301c2e804$ce4e8200$a401280a@phx.gbl>
> > > <0ednGnA6CHA.2312@cpmsftngxa08.phx.gbl>
> > > > Subject: Re: IIS Authentication Methods
> > > > Date: Tue, 11 Mar 2003 18:31:18 -0500
> > > > Lines: 17
> > > > MIME-Version: 1.0
> > > > Content-Type: text/plain;
> > > > charset="iso-8859-1"
> > > > Content-Transfer-Encoding: quoted-printable
> > > > X-Priority: 3
> > > > X-MSMail-Priority: Normal
> > > > X-Newsreader: Microsoft Outlook Express 6.00.2720.3000
> > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> > > > Message-ID: <ughB84C6CHA.2368@TK2MSFTNGP10.phx.gbl>
> > > > Newsgroups: microsoft.public.inetserver.iis.security
> > > > NNTP-Posting-Host: ip68-100-135-136.nv.nv.cox.net 68.100.135.136
> > > > Path:
> > >
> >
>
cpmsftngxa08.phx.gbl!cppssbbsa01.microsoft.com!news-out.cwix.com!newsfeed.cw
> > >
> >
>
ix.com!newsengine.sol.net!newsfeeds.sol.net!newsfeed.news2me.com!border1.nnt
> > >
> >
>
p.aus1.giganews.com!nntp.giganews.com!sjc70.webusenet.com!news.webusenet.com
> > > !cyclone.bc.net!msrtrans1!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> > > > Xref: cpmsftngxa08.phx.gbl
> > microsoft.public.inetserver.iis.security:16284
> > > > X-Tomcat-NG: microsoft.public.inetserver.iis.security
> > > >
> > > > > When you use Netscape to access a site with both authentication
> > methods
> > > > > enabled, Netscape will use Basic authentication, because it
doesn't
> > > > > understand Integrated authentication.
> > > > Might be a good time to point out that some time ago one person in
the
> > > newsgroups claimed to do a netmon on the messages between Netscape and
> IIS
> > > when on NT Challenge / Response is enabled on the IIS server.  He
> claimed
> > > that Netscape responded by prompting the user for credentials which,
if
> > the
> > > user provided them, it tried to send back via Basic Authentication.
The
> > > Netscape user is not successful in gaining access, but if true, this
> would
> > > mean that if you only employ NTCR (IWA) and if a valid user mistakenly
> > uses
> > > Netscape and provides credentials to the prompt, the username and
> password
> > > will go over the wire in clear text.  If one uses SSL regardless of
the
> > > authentication mechanism chosen, then this would not be a problem.
> > > >
> > >
> > > -----
> > > Please do not send email directly to this alias. This is an online
> > > account name for newsgroup participation only.
> > >
> > > This posting is provided "AS IS" with no warranties, and confers
> > > no rights. You assume all risk for your use.
> > >
> > > ?2003 Microsoft Corporation. All rights reserved.
> > >
> >
> >
> >
>
> -----
> Please do not send email directly to this alias. This is an online
> account name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers
> no rights. You assume all risk for your use.
>
> © 2003 Microsoft Corporation. All rights reserved.
>

Relevant Pages

  • Re: httpwebrequest with https behind proxy with authentication
    ... Our proxy server uses NTLM authentication and as you suggested I modified the code as follows: ... I still receive "The remote server returned an error: Proxy Authentication Required." ... and it works if I use http instead of https or if I disable authentication on the proxy ...
    (microsoft.public.dotnet.framework)
  • Re: 407:Proxy authentication error while try to access Web Service published on internet
    ... Proxy Servers can demand authentication just like web servers do. ... If you want to specify credentials to a proxy server, ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: IIS Authentication Methods
    ... Yes, if you open those ports on the firewall, NTLM should work... ... If the corporation's proxy server doesn't ... > proxy and netscape and certain internet devices. ... >> supported authentication mechanisms, it will realize that it doesn't ...
    (microsoft.public.inetserver.iis.security)
  • Re: Authentication on MAC OS-10
    ... behind a firewall or proxy server. ... you may want to try the new Netscape as ... >>authenticate to a sharepoint services site. ... >> at the server is set to both Basic and Windows Authentication. ...
    (microsoft.public.sharepoint.windowsservices)
  • NTLM/Browser Storing Any Sessions ??
    ... Right now we have a proxy server which has enabled NTLM Autentication ... Enabled for all Internet Website. ... Authentication Prompt(it could be the server has been enabled with the ...
    (microsoft.public.inetserver.iis.ftp)