RE: NTLM question

From: Robert Collins <robert.collins@dont-contact.us>
Date: 21 Aug 2001 21:42:48 +1000

On 21 Aug 2001 09:57:35 +0200, Mihhail Meskov wrote:
>
>
> Mihhail Meskov
> System Integarator
> Hansabank
> 15040 Liivalaia 8
> Tallinn, Estonia
> Tel: +372 (0)6133617
> Mobile: +372 (0)5090784
> Fax: +372 (0)6131990
> Email: mihhail.meskov@hansa.ee
> Web: http://www.hansa.ee
>
> > -----Original Message-----
> > From: Chemolli Francesco (USI) [mailto:ChemolliF@GruppoCredit.it]
> > Sent: Monday, August 20, 2001 3:57 PM
> > To: 'Henrik Nordstrom'; Mihhail Meskov
> > Cc: Squid Developers Mailinglist
> > Subject: RE: NTLM question
> >
> >
> > > Squid cannot proxy NTLM authentication becasuse Microsft NTLM
> > > authentication
> > > does not follow HTTP specifications on persistent connection
> > > management and
> > > authentictaion.
> > >
> > > HTTP specifies that persistent connections are managed
> > > intependently beteen
> > > client<->proxy and proxy<->server to allow efficient
> > sharing of server
> > > connections. Further, authentication is to take place per
> > > message, not per
> > > connection.
> > >
> > > NTLM authentication requires unique persistent
> > > client<->server connections with
> > > absolutely no sharing of the server connection between
> > > multiple clients.
> >
> > It is worth noticing that recent version of MS Internet Explorer
> > WILL NOT EVEN ATTEMPT to perform NTLM authentication if a proxy
> > is in use to reach the destination host.
>
> As to my mind, it is because of "401" response. In case of "407" all the IE
> 4+ start NTLM negotiation.

Because proxy servers are considered trusted, and there is a (untrue)
expectation that the proxy returning a 407 is the first proxy in the
request chain.

> So, if destination server offers the NTLM along with other schemes, Squid
> should change 401 to 407 and "WWW-Authenticate: NTLM" header line to
> "Proxy-Authenticate: NTLM". Also, Squid should change hostname of the client
> to the name of it's own host in each NTLM message send by a client in
> "Proxy-Authorization: NTLM .." with eliminating "Proxy-" from this header's
> name before forwarding this client's reply to the destination (MS) server.

That will collide with local proxy authentication, and could be used by
a hacker to extract user passwords from the local domains. This would be
a severe security hole IMO. Not to mention being against HTTP spec.

> I'am not Squid developer, not even hacker. I've just discovered a lot how
> NTLM works because of a project I am involved in. And, IMHO, if Basic
> Authorization could be passed through proxy, why NTLM shouldn't ?

Because of MS's design. They designed a connection based authentication
protocol for a message based transport protocol. Doh!. Can we workaround
that - yes within limits.

> Of course,
> you may say that MS violates the HTTP standard with NTLM, but this scheme
> works and is in use and becomes popular.

Microsoft are not suggesting web sites on the internet use NTLM. They
suggest _against_ using on the internet because it won't go through
Proxy servers - including MS proxy and AFAIK ISA server.

So, I don't think it is that popular outside of intranets - and squid
supports NTLM authentication between the client and squid.

Rob
Received on Tue Aug 21 2001 - 05:42:34 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:14 MST