Re: NTLM authentication

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 01 Aug 2000 09:18:49 +0200

Robert Collins wrote:

> The challenge is tied to a connection in the MS protocol, we only find
> the username on the response, so any caching we do has to be tied to a
> machine(It's the only info we can use), and we find the username on the
> client response. As such we are one step behind the game, and any
> problems (users moving machines, multi-user machines) will surface after
> the client has tried authenticating.

Then I am misinformed. According to the info I have the client first
presents it's identification including workstation name and userid,
which makes sense to me as I thought you need to know the user domain to
be able to get the challenge from the correct domain controller...

> As above the issue is: who do we replay it to? (must be machine as that
> is the only info we have when we present the challenge)
> What if that machine has multiple users (a la metaframe or a big
> X-client)? (We're stuffed - every connection will be for a different
> user and a cached challenge is only valid for a single user).

A connection where the same identification is presented.

> For the moment I'm going to leave the possibilities of caching to the
> side. I will put together a update for the NTLM notes page though.

That is fine. However, keep in mind that it should be done on Basic
authentication even if not possible in NTLM.

/Henrik
Received on Tue Aug 01 2000 - 09:14:35 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:33 MST