Re: NTLM over the Internet

From: Marshall (anonymous_at_discussions.microsoft.com)
Date: 11/20/03


Date: Thu, 20 Nov 2003 07:26:08 -0800

Thanks Karl and Sukesh,

I guess I didn't mention I was already assuming a Windows/IE only user base :) Anyway, my question about the technical details of ntml being blocked by proxies was geared toward 'things to avoid (proxy configurations) when setting up NTLM internally where proxies will be involved.' I would hate to setup an internal authentication system that couldn't operate properly because of our internal network configuration. Does anyone have any specifics on this or any good references? I've been searching for a while now but haven't been able to get any low-level details. Thanks,

Marshall
     
     ----- Karl Levinson [x y] mvp wrote: -----
     
     It's also not recommended because 1) windows integrated authentication is
     NOT securely encrypted, and 2) it only works for IE and only on Windows.
     Also, the default settings in newer versions of IE won't send windows
     integrated authentication by default to Internet sites.
     
     
     "Marshall" <mashburnwest@yahoo.com> wrote in message
     news:BC737A37-8FC0-4373-9DB9-7F1204346C86@microsoft.com...
> I've read in a couple of Microsoft articles that ntlm should not be used
     over the internet for authenticating users. The reason given is that ntlm
     relies on 'implicit end-to-end state' so that proxies positioned between the
     client and web server can cause unexpected problems (most notably 'Access
     Denied'). I have 2 questions related to this:
> 1. Does anyone have any further technical details on exactly what
     situations would cause problems? I've setup a test server using ntlm over
     the internet, tested from multiple locations (trying to access server
     through a different path) but cannot produce the error. What proxy
     configuration would cause this?
> 2. If SSL is being used, can ntlm be reliably used (i.e. must proxies
     follow different rules for SSL so that 'implicit end-to-end state' would be
     accomplished)?
>> Thanks for any help,
>> Marshall
     
     
     



Relevant Pages

  • Re: Authentication window in SPS despite the user is registered
    ... Is the virtual server configured to use Windows Integrated Authentication? ... > user is registered in SPS 2003 and belong to AD, ...
    (microsoft.public.sharepoint.portalserver)
  • Re: Integrated Authentication from XP
    ... I know you say that other versions of windows can access the server, ... Windows integration supposedly does not work through firewalls, ... > However - I use ISA Server to re-direct to this web site under certain ... > Conversation: Integrated Authentication from XP ...
    (microsoft.public.inetserver.iis.security)
  • Re: RPC Data Limit? (RPC_S_CALL_FAILED_DNE)
    ... The exact size of data that I can marshall is 1048568 (or 8 bytes shy of a ... running Windows 2000 (Server and Professional). ... If I execute other RPC functions on this same ...
    (microsoft.public.win32.programmer.networks)
  • Re: NTLM over the Internet
    ... It's also not recommended because 1) windows integrated authentication is ... and 2) it only works for IE and only on Windows. ... The reason given is that ntlm ... I've setup a test server using ntlm over ...
    (microsoft.public.inetserver.iis.security)
  • Sus web configuration
    ... I have some questions about Software update service ... installed on a windows 2003 server ... Can I use only integrated authentication? ...
    (microsoft.public.security)