NTLM over SSL thru proxies/firewalls

We have an IIS served web site that uses integrated windows security.
All clients use IE 6/7. Once in a while we get a 401.2 error when
someone tries to reach the site from a hotel.

Based on what I've read it sounds like using NTLM over the Internet
can be problematic when connecting thru some proxy servers.

The last time we had the problem I had the user try accessing the same
site via SSL. Problem went away (in this case).

Can I reliably use NTLM over SSL, even thru proxy and firewalls?

Is the NTLM stuff being encrypted along with everything else and
therefore immune from stripping or tampering?

Re: NTLM over SSL thru proxies/firewalls

Hi,

SSL/TLS (TCP layer) works at a lower level than NTLM (Layer 5+), so
everything is encrypted.

You /shouldn't/ have a problem with most forward proxies, because in the
case of SSL/TLS traffic they allow an end-to-end HTTP connection when using
SSL/TLS (becuase they can't be a "man in the middle")

NTLM relies on an end-to-end HTTP connection with HTTP Keep-Alives enabled.
Provided those requirements are met, and no intermediate device is doing
something odd to teh traffic, NTLM should work over SSL/TLS

Cheers
Ken

wrote in message
news:e31a04f2-31ac-4011-bd08-b7ef493d8566@i12g2000prf.google groups.com...
> We have an IIS served web site that uses integrated windows security.
> All clients use IE 6/7. Once in a while we get a 401.2 error when
> someone tries to reach the site from a hotel.
>
> Based on what I've read it sounds like using NTLM over the Internet
> can be problematic when connecting thru some proxy servers.
>
> The last time we had the problem I had the user try accessing the same
> site via SSL. Problem went away (in this case).
>
> Can I reliably use NTLM over SSL, even thru proxy and firewalls?
>
> Is the NTLM stuff being encrypted along with everything else and
> therefore immune from stripping or tampering?

Re: NTLM over SSL thru proxies/firewalls

Thanks Ken,

Sounds like NTLM over SSL may be my solution.

If I read things right, NTLM's 'end to end' need is covered, since that's a
requirement imposed by SSL. Correct me if I've over simplified that.

As to 'keep alive', do you have an opinion on the likelihood of a hotel room
proxy interfering with a keep-alive session?

Thanks again,
Brian

"Ken Schaefer" wrote:

> Hi,
>
> SSL/TLS (TCP layer) works at a lower level than NTLM (Layer 5+), so
> everything is encrypted.
>
> You /shouldn't/ have a problem with most forward proxies, because in the
> case of SSL/TLS traffic they allow an end-to-end HTTP connection when using
> SSL/TLS (becuase they can't be a "man in the middle")
>
> NTLM relies on an end-to-end HTTP connection with HTTP Keep-Alives enabled.
> Provided those requirements are met, and no intermediate device is doing
> something odd to teh traffic, NTLM should work over SSL/TLS
>
> Cheers
> Ken
>
> wrote in message
> news:e31a04f2-31ac-4011-bd08-b7ef493d8566@i12g2000prf.google groups.com...
> > We have an IIS served web site that uses integrated windows security.
> > All clients use IE 6/7. Once in a while we get a 401.2 error when
> > someone tries to reach the site from a hotel.
> >
> > Based on what I've read it sounds like using NTLM over the Internet
> > can be problematic when connecting thru some proxy servers.
> >
> > The last time we had the problem I had the user try accessing the same
> > site via SSL. Problem went away (in this case).
> >
> > Can I reliably use NTLM over SSL, even thru proxy and firewalls?
> >
> > Is the NTLM stuff being encrypted along with everything else and
> > therefore immune from stripping or tampering?
>
>