Re: NTLM through firewall?

From: Karl Levinson [x y], mvp (levinson_k@despammed.com)
Date: 03/26/03


From: "Karl Levinson [x y], mvp" <levinson_k@despammed.com>
Date: Wed, 26 Mar 2003 08:22:53 -0500


I believe the relevant Microsoft KB documents do vaguely claim that NTLM has
issues through firewalls, but I'm not sure that's as informative as it could
be or that it has anything to do with ports being closed. I'm also not sure
that NTLM uses any port other than TCP 80. I remember someone else here
stating that NTLM should work through firewalls, though maybe not proxy
servers. Clearly in your case it seems to be working.

"Jeff Mallinger" <jmallinger@lifeserv.com> wrote in message
news:uNII6818CHA.3008@TK2MSFTNGP11.phx.gbl...
> Hello -
>
> I was testing NTLM (challenge/response) authentication with one of my IIS
> servers (which sits on the other side of our firewall) and when I accessed
> the site, it prompted me with a username/password box. When I entered my
> credentials for the domain that the site belongs to, it granted me access
to
> the site.
>
> I've read that NTLM isn't supported through *most* firewalls, since most
> firewalls don't have ports 137/138 open (for NetBIOS - or NetBT ?). I
also
> administer our firewall and double-checked that those ports aren't open -
> which seems wierd to me that I was able to get the prompt & authenticate.
>
> I thought that IIS perhaps rolled-back and authenticated me with
clear-text,
> Basic authentication - but in my IIS website properties, I had Anonymous
> access turned off & the Basic authentication option unchecked -- only
> Integrated Windows authentication.
>
> Both the server and client machines are Win2k Server - but both belong to
> separate NT4 domains.
>
> Does anyone have any idea how authentication was successful - what method
> was used & why?
>
> Thanks for the info!
> -j
>
>



Relevant Pages

  • Re: integrated vs basic
    ... I create an IIS site http://mysite and only set it up to use integrated ... > Integrated Windows Authentication actually involves two separate ... > The first currently means Kerberos, ... and generally firewalls block access ...
    (microsoft.public.inetserver.iis.security)
  • Re: integrated vs basic
    ... IIS Blog: www.adopenstatic.com/cs/blogs/ken/ ... :> Integrated Windows Authentication actually involves two separate ... :> The first currently means Kerberos, ... :> Kerberos doesn't work through most firewalls because in order to use ...
    (microsoft.public.inetserver.iis.security)
  • Re: NTLM through firewall?
    ... I've tried this from Win2k server & WinXP ... However - I even get AuthenticationType "NTLM" when I change my ... authentication to "Basic Authentication" only - and disable Chall/Resp. ... My conclusion is that NTLM will work through firewalls w/ Win2k+ ...
    (microsoft.public.inetserver.iis.security)
  • Re: 401 error for user that used to logon fine
    ... Was over the Internet and you were right. ... > Why are you getting prompted by NTLM? ... How IIS Authenticates Browser Clients ... > Directory with Integrated Authentication ONLY -or- NTFS permissions ...
    (microsoft.public.inetserver.iis.security)
  • RE: Correct Domain User/Pass/Domain credentials rejected
    ... Authentication" checked vs. unchecked is that if it's unchecked, ... use NTLM or Kerberos, and Kerberos usually ends up being the winner. ... you can force IIS to only use NTLM: ...
    (microsoft.public.inetserver.iis.security)