 |
|
|
|
Next: Downgrading Server Extensions
|
| Author |
Message |
External
Since: Jan 29, 2008
Posts: 1
|
(Msg. 1) Posted: Tue Jan 29, 2008 10:57 am
Post subject: NTLM over SSL thru proxies/firewalls
Archived from groups: microsoft>public>inetserver>iis (more info?)
|
|
|
We have an IIS served web site that uses integrated windows security.
All clients use IE 6/7. Once in a while we get a 401.2 error when
someone tries to reach the site from a hotel.
Based on what I've read it sounds like using NTLM over the Internet
can be problematic when connecting thru some proxy servers.
The last time we had the problem I had the user try accessing the same
site via SSL. Problem went away (in this case).
Can I reliably use NTLM over SSL, even thru proxy and firewalls?
Is the NTLM stuff being encrypted along with everything else and
therefore immune from stripping or tampering? |
|
| Back to top |
|
 | |
External
Since: Aug 23, 2003
Posts: 3041
|
(Msg. 2) Posted: Tue Jan 29, 2008 10:04 pm
Post subject: Re: NTLM over SSL thru proxies/firewalls [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Hi,
SSL/TLS (TCP layer) works at a lower level than NTLM (Layer 5+), so
everything is encrypted.
You /shouldn't/ have a problem with most forward proxies, because in the
case of SSL/TLS traffic they allow an end-to-end HTTP connection when using
SSL/TLS (becuase they can't be a "man in the middle")
NTLM relies on an end-to-end HTTP connection with HTTP Keep-Alives enabled.
Provided those requirements are met, and no intermediate device is doing
something odd to teh traffic, NTLM should work over SSL/TLS
Cheers
Ken
<bryuill.DeleteThis@hotmail.com> wrote in message
news:e31a04f2-31ac-4011-bd08-b7ef493d8566@i12g2000prf.googlegroups.com...
> We have an IIS served web site that uses integrated windows security.
> All clients use IE 6/7. Once in a while we get a 401.2 error when
> someone tries to reach the site from a hotel.
>
> Based on what I've read it sounds like using NTLM over the Internet
> can be problematic when connecting thru some proxy servers.
>
> The last time we had the problem I had the user try accessing the same
> site via SSL. Problem went away (in this case).
>
> Can I reliably use NTLM over SSL, even thru proxy and firewalls?
>
> Is the NTLM stuff being encrypted along with everything else and
> therefore immune from stripping or tampering? |
|
| Back to top |
|
| |
External
Since: Jan 31, 2008
Posts: 4
|
(Msg. 3) Posted: Thu Jan 31, 2008 8:40 am
Post subject: Re: NTLM over SSL thru proxies/firewalls [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Thanks Ken,
Sounds like NTLM over SSL may be my solution.
If I read things right, NTLM's 'end to end' need is covered, since that's a
requirement imposed by SSL. Correct me if I've over simplified that.
As to 'keep alive', do you have an opinion on the likelihood of a hotel room
proxy interfering with a keep-alive session?
Thanks again,
Brian
"Ken Schaefer" wrote:
> Hi,
>
> SSL/TLS (TCP layer) works at a lower level than NTLM (Layer 5+), so
> everything is encrypted.
>
> You /shouldn't/ have a problem with most forward proxies, because in the
> case of SSL/TLS traffic they allow an end-to-end HTTP connection when using
> SSL/TLS (becuase they can't be a "man in the middle")
>
> NTLM relies on an end-to-end HTTP connection with HTTP Keep-Alives enabled.
> Provided those requirements are met, and no intermediate device is doing
> something odd to teh traffic, NTLM should work over SSL/TLS
>
> Cheers
> Ken
>
> <bryuill RemoveThis @hotmail.com> wrote in message
> news:e31a04f2-31ac-4011-bd08-b7ef493d8566@i12g2000prf.googlegroups.com...
> > We have an IIS served web site that uses integrated windows security.
> > All clients use IE 6/7. Once in a while we get a 401.2 error when
> > someone tries to reach the site from a hotel.
> >
> > Based on what I've read it sounds like using NTLM over the Internet
> > can be problematic when connecting thru some proxy servers.
> >
> > The last time we had the problem I had the user try accessing the same
> > site via SSL. Problem went away (in this case).
> >
> > Can I reliably use NTLM over SSL, even thru proxy and firewalls?
> >
> > Is the NTLM stuff being encrypted along with everything else and
> > therefore immune from stripping or tampering?
>
> >> Stay informed about: NTLM over SSL thru proxies/firewalls |
|
| Back to top |
|
| |
External
Since: Aug 23, 2003
Posts: 3041
|
(Msg. 4) Posted: Sun Feb 03, 2008 10:05 pm
Post subject: Re: NTLM over SSL thru proxies/firewalls [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
"Brian Yuill" <BrianYuill.TakeThisOut@discussions.microsoft.com> wrote in message
news:4749A32E-E2CF-4DBC-9AA6-24E90F7E57F0@microsoft.com...
> Thanks Ken,
>
> Sounds like NTLM over SSL may be my solution.
>
> If I read things right, NTLM's 'end to end' need is covered, since that's
> a
> requirement imposed by SSL. Correct me if I've over simplified that.
It really depends on the proxy server in question. Some newer corporate
proxies are capable of inspecting outbound traffic, and they do that by
breaking the end-to-end connection.
> As to 'keep alive', do you have an opinion on the likelihood of a hotel
> room
> proxy interfering with a keep-alive session?
For an SSL connection, in a hotel, you'll be fine. It's more an issue of
server and client configuration. Ensure that both are configured to use HTTP
Keep-Alives
Cheers
Ken
> Thanks again,
> Brian
>
> "Ken Schaefer" wrote:
>
>> Hi,
>>
>> SSL/TLS (TCP layer) works at a lower level than NTLM (Layer 5+), so
>> everything is encrypted.
>>
>> You /shouldn't/ have a problem with most forward proxies, because in the
>> case of SSL/TLS traffic they allow an end-to-end HTTP connection when
>> using
>> SSL/TLS (becuase they can't be a "man in the middle")
>>
>> NTLM relies on an end-to-end HTTP connection with HTTP Keep-Alives
>> enabled.
>> Provided those requirements are met, and no intermediate device is doing
>> something odd to teh traffic, NTLM should work over SSL/TLS
>>
>> Cheers
>> Ken
>>
>> <bryuill.TakeThisOut@hotmail.com> wrote in message
>> news:e31a04f2-31ac-4011-bd08-b7ef493d8566@i12g2000prf.googlegroups.com...
>> > We have an IIS served web site that uses integrated windows security.
>> > All clients use IE 6/7. Once in a while we get a 401.2 error when
>> > someone tries to reach the site from a hotel.
>> >
>> > Based on what I've read it sounds like using NTLM over the Internet
>> > can be problematic when connecting thru some proxy servers.
>> >
>> > The last time we had the problem I had the user try accessing the same
>> > site via SSL. Problem went away (in this case).
>> >
>> > Can I reliably use NTLM over SSL, even thru proxy and firewalls?
>> >
>> > Is the NTLM stuff being encrypted along with everything else and
>> > therefore immune from stripping or tampering?
>>
>> >> Stay informed about: NTLM over SSL thru proxies/firewalls |
|
| Back to top |
|
| |
External
Since: Jan 31, 2008
Posts: 4
|
(Msg. 5) Posted: Mon Feb 04, 2008 8:29 am
Post subject: Re: NTLM over SSL thru proxies/firewalls [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Thanks again Ken,
I can enforce IIS server and IE client settings for keep-alive.
As to possibility of a hotel room proxy breaking NTLM's 'end to end'
requirement -
If 'end-to-end' is a requirement for an (any) SSL connection (no man in the
middle) and I make the assumption that a hotel's internet for clients would
most likely need to support SSL, then I think I'm comfortable with this
solution. Am I off base here?
Brian
"Ken Schaefer" wrote:
>
> "Brian Yuill" <BrianYuill.RemoveThis@discussions.microsoft.com> wrote in message
> news:4749A32E-E2CF-4DBC-9AA6-24E90F7E57F0@microsoft.com...
> > Thanks Ken,
> >
> > Sounds like NTLM over SSL may be my solution.
> >
> > If I read things right, NTLM's 'end to end' need is covered, since that's
> > a
> > requirement imposed by SSL. Correct me if I've over simplified that.
>
> It really depends on the proxy server in question. Some newer corporate
> proxies are capable of inspecting outbound traffic, and they do that by
> breaking the end-to-end connection.
>
>
> > As to 'keep alive', do you have an opinion on the likelihood of a hotel
> > room
> > proxy interfering with a keep-alive session?
>
> For an SSL connection, in a hotel, you'll be fine. It's more an issue of
> server and client configuration. Ensure that both are configured to use HTTP
> Keep-Alives
>
> Cheers
> Ken
>
>
> > Thanks again,
> > Brian
> >
> > "Ken Schaefer" wrote:
> >
> >> Hi,
> >>
> >> SSL/TLS (TCP layer) works at a lower level than NTLM (Layer 5+), so
> >> everything is encrypted.
> >>
> >> You /shouldn't/ have a problem with most forward proxies, because in the
> >> case of SSL/TLS traffic they allow an end-to-end HTTP connection when
> >> using
> >> SSL/TLS (becuase they can't be a "man in the middle")
> >>
> >> NTLM relies on an end-to-end HTTP connection with HTTP Keep-Alives
> >> enabled.
> >> Provided those requirements are met, and no intermediate device is doing
> >> something odd to teh traffic, NTLM should work over SSL/TLS
> >>
> >> Cheers
> >> Ken
> >>
> >> <bryuill.RemoveThis@hotmail.com> wrote in message
> >> news:e31a04f2-31ac-4011-bd08-b7ef493d8566@i12g2000prf.googlegroups.com...
> >> > We have an IIS served web site that uses integrated windows security.
> >> > All clients use IE 6/7. Once in a while we get a 401.2 error when
> >> > someone tries to reach the site from a hotel.
> >> >
> >> > Based on what I've read it sounds like using NTLM over the Internet
> >> > can be problematic when connecting thru some proxy servers.
> >> >
> >> > The last time we had the problem I had the user try accessing the same
> >> > site via SSL. Problem went away (in this case).
> >> >
> >> > Can I reliably use NTLM over SSL, even thru proxy and firewalls?
> >> >
> >> > Is the NTLM stuff being encrypted along with everything else and
> >> > therefore immune from stripping or tampering?
> >>
> >>
>
> >> Stay informed about: NTLM over SSL thru proxies/firewalls |
|
| Back to top |
|
| |
External
Since: Jan 31, 2008
Posts: 4
|
(Msg. 6) Posted: Tue Feb 05, 2008 11:51 am
Post subject: Re: NTLM over SSL thru proxies/firewalls [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Hi Ken,
I did a poor job of asking my specific question in my last post. Let me try
that again.
re:
>It really depends on the proxy server in question. Some newer corporate
>proxies are capable of inspecting outbound traffic, and they do that by
>breaking the end-to-end connection.
I understood that SSL needed an end-to-end connection and so wouldn't this
type of 'breaking the end-to-end connection' break any SSL connection?
Or could it be a breakage specific to NTLM over SSL?
Thanks again,
Brian
"Ken Schaefer" wrote:
>
> "Brian Yuill" <BrianYuill.DeleteThis@discussions.microsoft.com> wrote in message
> news:4749A32E-E2CF-4DBC-9AA6-24E90F7E57F0@microsoft.com...
> > Thanks Ken,
> >
> > Sounds like NTLM over SSL may be my solution.
> >
> > If I read things right, NTLM's 'end to end' need is covered, since that's
> > a
> > requirement imposed by SSL. Correct me if I've over simplified that.
>
> It really depends on the proxy server in question. Some newer corporate
> proxies are capable of inspecting outbound traffic, and they do that by
> breaking the end-to-end connection.
>
>
> > As to 'keep alive', do you have an opinion on the likelihood of a hotel
> > room
> > proxy interfering with a keep-alive session?
>
> For an SSL connection, in a hotel, you'll be fine. It's more an issue of
> server and client configuration. Ensure that both are configured to use HTTP
> Keep-Alives
>
> Cheers
> Ken
>
>
> > Thanks again,
> > Brian
> >
> > "Ken Schaefer" wrote:
> >
> >> Hi,
> >>
> >> SSL/TLS (TCP layer) works at a lower level than NTLM (Layer 5+), so
> >> everything is encrypted.
> >>
> >> You /shouldn't/ have a problem with most forward proxies, because in the
> >> case of SSL/TLS traffic they allow an end-to-end HTTP connection when
> >> using
> >> SSL/TLS (becuase they can't be a "man in the middle")
> >>
> >> NTLM relies on an end-to-end HTTP connection with HTTP Keep-Alives
> >> enabled.
> >> Provided those requirements are met, and no intermediate device is doing
> >> something odd to teh traffic, NTLM should work over SSL/TLS
> >>
> >> Cheers
> >> Ken
> >>
> >> <bryuill.DeleteThis@hotmail.com> wrote in message
> >> news:e31a04f2-31ac-4011-bd08-b7ef493d8566@i12g2000prf.googlegroups.com...
> >> > We have an IIS served web site that uses integrated windows security.
> >> > All clients use IE 6/7. Once in a while we get a 401.2 error when
> >> > someone tries to reach the site from a hotel.
> >> >
> >> > Based on what I've read it sounds like using NTLM over the Internet
> >> > can be problematic when connecting thru some proxy servers.
> >> >
> >> > The last time we had the problem I had the user try accessing the same
> >> > site via SSL. Problem went away (in this case).
> >> >
> >> > Can I reliably use NTLM over SSL, even thru proxy and firewalls?
> >> >
> >> > Is the NTLM stuff being encrypted along with everything else and
> >> > therefore immune from stripping or tampering?
> >>
> >>
>
> >> Stay informed about: NTLM over SSL thru proxies/firewalls |
|
| Back to top |
|
| |
External
Since: Aug 23, 2003
Posts: 3041
|
(Msg. 7) Posted: Tue Feb 05, 2008 9:04 pm
Post subject: Re: NTLM over SSL thru proxies/firewalls [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
"Brian Yuill" <BrianYuill.RemoveThis@discussions.microsoft.com> wrote in message
news:D2408D52-462E-4955-A14D-0D35BBD2F328@microsoft.com...
> Hi Ken,
>
> I did a poor job of asking my specific question in my last post. Let me
> try
> that again.
>
> re:
>>It really depends on the proxy server in question. Some newer corporate
>>proxies are capable of inspecting outbound traffic, and they do that by
>>breaking the end-to-end connection.
>
> I understood that SSL needed an end-to-end connection and so wouldn't this
> type of 'breaking the end-to-end connection' break any SSL connection?
Correct.
> Or could it be a breakage specific to NTLM over SSL?
Not that I'm aware of. All the NTLM stuff is encapsulated inside the SSL
connection, so the authentication should be fine. As long as the HTTP/HTTPS
connection is kept alive at both ends, you should be good-to-go.
Cheers
Ken
>
> Thanks again,
> Brian
>
>
> "Ken Schaefer" wrote:
>
>>
>> "Brian Yuill" <BrianYuill.RemoveThis@discussions.microsoft.com> wrote in message
>> news:4749A32E-E2CF-4DBC-9AA6-24E90F7E57F0@microsoft.com...
>> > Thanks Ken,
>> >
>> > Sounds like NTLM over SSL may be my solution.
>> >
>> > If I read things right, NTLM's 'end to end' need is covered, since
>> > that's
>> > a
>> > requirement imposed by SSL. Correct me if I've over simplified that.
>>
>> It really depends on the proxy server in question. Some newer corporate
>> proxies are capable of inspecting outbound traffic, and they do that by
>> breaking the end-to-end connection.
>>
>>
>> > As to 'keep alive', do you have an opinion on the likelihood of a hotel
>> > room
>> > proxy interfering with a keep-alive session?
>>
>> For an SSL connection, in a hotel, you'll be fine. It's more an issue of
>> server and client configuration. Ensure that both are configured to use
>> HTTP
>> Keep-Alives
>>
>> Cheers
>> Ken
>>
>>
>> > Thanks again,
>> > Brian
>> >
>> > "Ken Schaefer" wrote:
>> >
>> >> Hi,
>> >>
>> >> SSL/TLS (TCP layer) works at a lower level than NTLM (Layer 5+), so
>> >> everything is encrypted.
>> >>
>> >> You /shouldn't/ have a problem with most forward proxies, because in
>> >> the
>> >> case of SSL/TLS traffic they allow an end-to-end HTTP connection when
>> >> using
>> >> SSL/TLS (becuase they can't be a "man in the middle")
>> >>
>> >> NTLM relies on an end-to-end HTTP connection with HTTP Keep-Alives
>> >> enabled.
>> >> Provided those requirements are met, and no intermediate device is
>> >> doing
>> >> something odd to teh traffic, NTLM should work over SSL/TLS
>> >>
>> >> Cheers
>> >> Ken
>> >>
>> >> <bryuill.RemoveThis@hotmail.com> wrote in message
>> >> news:e31a04f2-31ac-4011-bd08-b7ef493d8566@i12g2000prf.googlegroups.com...
>> >> > We have an IIS served web site that uses integrated windows
>> >> > security.
>> >> > All clients use IE 6/7. Once in a while we get a 401.2 error when
>> >> > someone tries to reach the site from a hotel.
>> >> >
>> >> > Based on what I've read it sounds like using NTLM over the Internet
>> >> > can be problematic when connecting thru some proxy servers.
>> >> >
>> >> > The last time we had the problem I had the user try accessing the
>> >> > same
>> >> > site via SSL. Problem went away (in this case).
>> >> >
>> >> > Can I reliably use NTLM over SSL, even thru proxy and firewalls?
>> >> >
>> >> > Is the NTLM stuff being encrypted along with everything else and
>> >> > therefore immune from stripping or tampering?
>> >>
>> >>
>>
>> >> Stay informed about: NTLM over SSL thru proxies/firewalls |
|
| Back to top |
|
| |
External
Since: Jan 31, 2008
Posts: 4
|
(Msg. 8) Posted: Wed Feb 06, 2008 8:30 am
Post subject: Re: NTLM over SSL thru proxies/firewalls [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Thanks Ken,
I believe that answers my questions. Thanks for taking the time.
Brian
"Ken Schaefer" wrote:
>
> "Brian Yuill" <BrianYuill RemoveThis @discussions.microsoft.com> wrote in message
> news:D2408D52-462E-4955-A14D-0D35BBD2F328@microsoft.com...
> > Hi Ken,
> >
> > I did a poor job of asking my specific question in my last post. Let me
> > try
> > that again.
> >
> > re:
> >>It really depends on the proxy server in question. Some newer corporate
> >>proxies are capable of inspecting outbound traffic, and they do that by
> >>breaking the end-to-end connection.
> >
> > I understood that SSL needed an end-to-end connection and so wouldn't this
> > type of 'breaking the end-to-end connection' break any SSL connection?
>
> Correct.
>
> > Or could it be a breakage specific to NTLM over SSL?
>
> Not that I'm aware of. All the NTLM stuff is encapsulated inside the SSL
> connection, so the authentication should be fine. As long as the HTTP/HTTPS
> connection is kept alive at both ends, you should be good-to-go.
>
> Cheers
> Ken
>
> >
> > Thanks again,
> > Brian
> >
> >
> > "Ken Schaefer" wrote:
> >
> >>
> >> "Brian Yuill" <BrianYuill RemoveThis @discussions.microsoft.com> wrote in message
> >> news:4749A32E-E2CF-4DBC-9AA6-24E90F7E57F0@microsoft.com...
> >> > Thanks Ken,
> >> >
> >> > Sounds like NTLM over SSL may be my solution.
> >> >
> >> > If I read things right, NTLM's 'end to end' need is covered, since
> >> > that's
> >> > a
> >> > requirement imposed by SSL. Correct me if I've over simplified that.
> >>
> >> It really depends on the proxy server in question. Some newer corporate
> >> proxies are capable of inspecting outbound traffic, and they do that by
> >> breaking the end-to-end connection.
> >>
> >>
> >> > As to 'keep alive', do you have an opinion on the likelihood of a hotel
> >> > room
> >> > proxy interfering with a keep-alive session?
> >>
> >> For an SSL connection, in a hotel, you'll be fine. It's more an issue of
> >> server and client configuration. Ensure that both are configured to use
> >> HTTP
> >> Keep-Alives
> >>
> >> Cheers
> >> Ken
> >>
> >>
> >> > Thanks again,
> >> > Brian
> >> >
> >> > "Ken Schaefer" wrote:
> >> >
> >> >> Hi,
> >> >>
> >> >> SSL/TLS (TCP layer) works at a lower level than NTLM (Layer 5+), so
> >> >> everything is encrypted.
> >> >>
> >> >> You /shouldn't/ have a problem with most forward proxies, because in
> >> >> the
> >> >> case of SSL/TLS traffic they allow an end-to-end HTTP connection when
> >> >> using
> >> >> SSL/TLS (becuase they can't be a "man in the middle")
> >> >>
> >> >> NTLM relies on an end-to-end HTTP connection with HTTP Keep-Alives
> >> >> enabled.
> >> >> Provided those requirements are met, and no intermediate device is
> >> >> doing
> >> >> something odd to teh traffic, NTLM should work over SSL/TLS
> >> >>
> >> >> Cheers
> >> >> Ken
> >> >>
> >> >> <bryuill RemoveThis @hotmail.com> wrote in message
> >> >> news:e31a04f2-31ac-4011-bd08-b7ef493d8566@i12g2000prf.googlegroups.com...
> >> >> > We have an IIS served web site that uses integrated windows
> >> >> > security.
> >> >> > All clients use IE 6/7. Once in a while we get a 401.2 error when
> >> >> > someone tries to reach the site from a hotel.
> >> >> >
> >> >> > Based on what I've read it sounds like using NTLM over the Internet
> >> >> > can be problematic when connecting thru some proxy servers.
> >> >> >
> >> >> > The last time we had the problem I had the user try accessing the
> >> >> > same
> >> >> > site via SSL. Problem went away (in this case).
> >> >> >
> >> >> > Can I reliably use NTLM over SSL, even thru proxy and firewalls?
> >> >> >
> >> >> > Is the NTLM stuff being encrypted along with everything else and
> >> >> > therefore immune from stripping or tampering?
> >> >>
> >> >>
> >>
> >>
>
> >> Stay informed about: NTLM over SSL thru proxies/firewalls |
|
| Back to top |
|
| |
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
|
|
|
FAQ
Profile
Private Messages
Log in
