Re: NTLM over the Internet
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 11/21/03
- Next message: Wei-Dong Xu [MSFT]: "RE: Impersonation, Delegation & SQL Server"
- Previous message: Karl Levinson [x y] mvp: "Re: why don't my ssl headers show?"
- In reply to: Marshall: "Re: NTLM over the Internet"
- Next in thread: Marshall: "Re: NTLM over the Internet"
- Reply: Marshall: "Re: NTLM over the Internet"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 Nov 2003 19:37:50 -0500
I searched the site below:
http://www.google.com/groups?as_q=proxy&as_oq=ntlm%20integrated&as_ugroup=mi
crosoft.public.inetserver.*
... which suggests that certain proxy servers just don't support NTLM. You
might check with your potential proxy vendor to see if they do [and if they
don't, just use basic with SSL]. Keep searching the link above or revise my
search or try a similar search in www.google.com and you may find additional
information.
http://support.microsoft.com/?kbid=264921 [is a little vague on the
details, but gives a few other details]
"Marshall" <anonymous@discussions.microsoft.com> wrote in message
news:917A6ABF-20DE-4A72-B6A0-C7337000929F@microsoft.com...
> Thanks Karl and Sukesh,
>
> I guess I didn't mention I was already assuming a Windows/IE only user
base :) Anyway, my question about the technical details of ntml being
blocked by proxies was geared toward 'things to avoid (proxy configurations)
when setting up NTLM internally where proxies will be involved.' I would
hate to setup an internal authentication system that couldn't operate
properly because of our internal network configuration. Does anyone have
any specifics on this or any good references? I've been searching for a
while now but haven't been able to get any low-level details. Thanks,
>
> Marshall
>
> ----- Karl Levinson [x y] mvp wrote: -----
>
> It's also not recommended because 1) windows integrated
authentication is
> NOT securely encrypted, and 2) it only works for IE and only on
Windows.
> Also, the default settings in newer versions of IE won't send windows
> integrated authentication by default to Internet sites.
>
>
> "Marshall" <mashburnwest@yahoo.com> wrote in message
> news:BC737A37-8FC0-4373-9DB9-7F1204346C86@microsoft.com...
> > I've read in a couple of Microsoft articles that ntlm should not be
used
> over the internet for authenticating users. The reason given is that
ntlm
> relies on 'implicit end-to-end state' so that proxies positioned
between the
> client and web server can cause unexpected problems (most notably
'Access
> Denied'). I have 2 questions related to this:
> > 1. Does anyone have any further technical details on exactly what
> situations would cause problems? I've setup a test server using ntlm
over
> the internet, tested from multiple locations (trying to access server
> through a different path) but cannot produce the error. What proxy
> configuration would cause this?
> > 2. If SSL is being used, can ntlm be reliably used (i.e. must
proxies
> follow different rules for SSL so that 'implicit end-to-end state'
would be
> accomplished)?
> >> Thanks for any help,
> >> Marshall
>
>
>
- Next message: Wei-Dong Xu [MSFT]: "RE: Impersonation, Delegation & SQL Server"
- Previous message: Karl Levinson [x y] mvp: "Re: why don't my ssl headers show?"
- In reply to: Marshall: "Re: NTLM over the Internet"
- Next in thread: Marshall: "Re: NTLM over the Internet"
- Reply: Marshall: "Re: NTLM over the Internet"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
