Henrik Nordstrom wrote:
> I perfectly understand why challenge encryption stops the authenticated
> user credentials from being proxied to another server (like in a ISS
> server proxying the user information to a SQL server or whatever), but
> not why whole the authentication can't be proxied by a HTTP proxy to a
> NTLM capable server..
Only to answer my own question: It can. There is noting in NTLM
authentication which makes it impossible to proxy, besides the fact that
it requires a single persistent connection client<->origin server, with
any number of proxies/tunnels in between. There is a very notable
collision between RFC 2616 and MS NTLM authentication in that RFC 2616
advocates that client<->proxy and proxy<->origin connections are more or
less independent by each other, while MS NTLM requires them to be
tightly coupled as one connection.
/Henrik
Received on Wed Dec 15 1999 - 17:41:37 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:20 MST