I am wondering if there is an easy way to completely automate the NTLM authentication process, requiring no user interaction. Currently, users get a prompt for a username/pw for every resource they try to access through the proxy. I've read a few posts that mention automating this process via a setting in IE (we use IE6, SP2) to automatically use Windows credentials, but I have concerns with this: what if the website the user is navigating requires authentication? Would IE automatically pass the Active Directory credentials for the user to the web server?
Again, here is what I would like to accomplish: users log into Terminal Services, and their AD credentials are automatically passed to the proxy server (and only the proxy) as needed with no user interaction.
Thanks in advance.
NTLM Authentication
Moderator: Qbik Staff
3 posts
• Page 1 of 1
NTLM Authentication
by gvsuderekdl » Jul 28 07 7:43 am
- gvsuderekdl
- Posts: 2
- Joined: Jul 25 07 4:17 am
by adrien » Jul 30 07 1:36 pm
Hi
I presume from this that your users don't have their browsers configured to use a proxy, but instead the proxy is intercepting the connection, and requiring NTLM auth.
The whole operation of intercepting proxies is something that isn't covered under the HTTP spec. Actually neither is NTLM authentication. The combination of the two in practice does have a few issues.
In general we actually recommend if you want to use NTLM authentication, that you configure the browsers to use the proxy server directly. This then solves the auth issue, since the browser then knows it's talking to a proxy, and associates the credentials with the proxy (instead of believing the request for credentials originated from the web site).
As for transferral of credentials, the NTLM protocol sends only hashed passwords, which AFAIK know provides protection against deriving the password from the data. However, there is some data that is passed in the clear with NTLM (such as machine names etc).
Adrien
I presume from this that your users don't have their browsers configured to use a proxy, but instead the proxy is intercepting the connection, and requiring NTLM auth.
The whole operation of intercepting proxies is something that isn't covered under the HTTP spec. Actually neither is NTLM authentication. The combination of the two in practice does have a few issues.
In general we actually recommend if you want to use NTLM authentication, that you configure the browsers to use the proxy server directly. This then solves the auth issue, since the browser then knows it's talking to a proxy, and associates the credentials with the proxy (instead of believing the request for credentials originated from the web site).
As for transferral of credentials, the NTLM protocol sends only hashed passwords, which AFAIK know provides protection against deriving the password from the data. However, there is some data that is passed in the clear with NTLM (such as machine names etc).
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
3 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 3 guests