Re: NTLM over the Internet

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 11/20/03

• Next message: Ken Schaefer: "Re: SSL & Certificates or Windows Auth"
• Previous message: Karl Levinson [x y] mvp: "Re: html pages loading; asp pages failing"
• In reply to: Marshall: "NTLM over the Internet"
• Next in thread: Marshall: "Re: NTLM over the Internet"
• Reply: Marshall: "Re: NTLM over the Internet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 20 Nov 2003 01:00:16 -0500

It's also not recommended because 1) windows integrated authentication is
NOT securely encrypted, and 2) it only works for IE and only on Windows.
Also, the default settings in newer versions of IE won't send windows
integrated authentication by default to Internet sites.

"Marshall" <mashburnwest@yahoo.com> wrote in message
news:BC737A37-8FC0-4373-9DB9-7F1204346C86@microsoft.com...
> I've read in a couple of Microsoft articles that ntlm should not be used
over the internet for authenticating users. The reason given is that ntlm
relies on 'implicit end-to-end state' so that proxies positioned between the
client and web server can cause unexpected problems (most notably 'Access
Denied'). I have 2 questions related to this:
> 1. Does anyone have any further technical details on exactly what
situations would cause problems? I've setup a test server using ntlm over
the internet, tested from multiple locations (trying to access server
through a different path) but cannot produce the error. What proxy
configuration would cause this?
> 2. If SSL is being used, can ntlm be reliably used (i.e. must proxies
follow different rules for SSL so that 'implicit end-to-end state' would be
accomplished)?
>
> Thanks for any help,
>
> Marshall

---

• Next message: Ken Schaefer: "Re: SSL & Certificates or Windows Auth"
• Previous message: Karl Levinson [x y] mvp: "Re: html pages loading; asp pages failing"
• In reply to: Marshall: "NTLM over the Internet"
• Next in thread: Marshall: "Re: NTLM over the Internet"
• Reply: Marshall: "Re: NTLM over the Internet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Kerberos to NTLM??? ... It is by design if Kerberos authentication fails, ... Windows 2000 and 2003 domain controllers support Kerberos and NTLM ... 2-way trust between 2 Windows Server 2003 domains. ... (microsoft.public.windows.server.networking) Re: IIS6, Integrated Windows Auth, and IE6 Integrated Windows Auth ... on your server, modifying its behavior, and causing the issue. ... do you feel that there is an issue with NTLM ... > application -- after IIS has successfully authenticated with NTLM -- so it ... > is an application issue and not with IIS6, Integrated Authentication, nor ... (microsoft.public.inetserver.iis) Re: Capturing Windows Login Name ... the Windows logon name is passed to servers by ... You just need to configure your Web server to require Windows ... authentication, and you get the current logged user logon name using ... Internet Explorer and Firefox support NTLM. ... (comp.lang.php) Re: Authentication window in SPS despite the user is registered ... Is the virtual server configured to use Windows Integrated Authentication? ... > user is registered in SPS 2003 and belong to AD, ... (microsoft.public.sharepoint.portalserver) Re: Integrated Authentication from XP ... I know you say that other versions of windows can access the server, ... Windows integration supposedly does not work through firewalls, ... > However - I use ISA Server to re-direct to this web site under certain ... > Conversation: Integrated Authentication from XP ... (microsoft.public.inetserver.iis.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)