Re: NTLM over the Internet

From: Marshall (anonymous_at_discussions.microsoft.com)
Date: 11/20/03


Date: Thu, 20 Nov 2003 07:26:08 -0800

Thanks Karl and Sukesh,

I guess I didn't mention I was already assuming a Windows/IE only user base :) Anyway, my question about the technical details of ntml being blocked by proxies was geared toward 'things to avoid (proxy configurations) when setting up NTLM internally where proxies will be involved.' I would hate to setup an internal authentication system that couldn't operate properly because of our internal network configuration. Does anyone have any specifics on this or any good references? I've been searching for a while now but haven't been able to get any low-level details. Thanks,

Marshall
     
     ----- Karl Levinson [x y] mvp wrote: -----
     
     It's also not recommended because 1) windows integrated authentication is
     NOT securely encrypted, and 2) it only works for IE and only on Windows.
     Also, the default settings in newer versions of IE won't send windows
     integrated authentication by default to Internet sites.
     
     
     "Marshall" <mashburnwest@yahoo.com> wrote in message
     news:BC737A37-8FC0-4373-9DB9-7F1204346C86@microsoft.com...
> I've read in a couple of Microsoft articles that ntlm should not be used
     over the internet for authenticating users. The reason given is that ntlm
     relies on 'implicit end-to-end state' so that proxies positioned between the
     client and web server can cause unexpected problems (most notably 'Access
     Denied'). I have 2 questions related to this:
> 1. Does anyone have any further technical details on exactly what
     situations would cause problems? I've setup a test server using ntlm over
     the internet, tested from multiple locations (trying to access server
     through a different path) but cannot produce the error. What proxy
     configuration would cause this?
> 2. If SSL is being used, can ntlm be reliably used (i.e. must proxies
     follow different rules for SSL so that 'implicit end-to-end state' would be
     accomplished)?
>> Thanks for any help,
>> Marshall