Re: NTLM over the Internet
From: Marshall (anonymous_at_discussions.microsoft.com)
Date: Thu, 20 Nov 2003 07:26:08 -0800
Thanks Karl and Sukesh,
I guess I didn't mention I was already assuming a Windows/IE only user base :) Anyway, my question about the technical details of ntml being blocked by proxies was geared toward 'things to avoid (proxy configurations) when setting up NTLM internally where proxies will be involved.' I would hate to setup an internal authentication system that couldn't operate properly because of our internal network configuration. Does anyone have any specifics on this or any good references? I've been searching for a while now but haven't been able to get any low-level details. Thanks,
----- Karl Levinson [x y] mvp wrote: -----
It's also not recommended because 1) windows integrated authentication is
NOT securely encrypted, and 2) it only works for IE and only on Windows.
Also, the default settings in newer versions of IE won't send windows
integrated authentication by default to Internet sites.
"Marshall" <email@example.com> wrote in message
> I've read in a couple of Microsoft articles that ntlm should not be used
over the internet for authenticating users. The reason given is that ntlm
relies on 'implicit end-to-end state' so that proxies positioned between the
client and web server can cause unexpected problems (most notably 'Access
Denied'). I have 2 questions related to this:
> 1. Does anyone have any further technical details on exactly what
situations would cause problems? I've setup a test server using ntlm over
the internet, tested from multiple locations (trying to access server
through a different path) but cannot produce the error. What proxy
configuration would cause this?
> 2. If SSL is being used, can ntlm be reliably used (i.e. must proxies
follow different rules for SSL so that 'implicit end-to-end state' would be
>> Thanks for any help,