Re: "negotiate" auth with fallback to other schemes

From: Henrik Nordstrom <>
Date: Sat, 06 Mar 2010 11:26:49 +0100

fre 2010-03-05 klockan 20:44 +0000 skrev Markus Moeller:

> I don't understand this part. Usually the kdc is on AD so how can NTLM work
> and Kerberos not ?

The NTLM client just needs the local computer configuration +
credentials entered interactively by the user. All communication with
the AD is indirect via the proxy. The client do not need any form of
ticked before trying to authenticate via NTLM, just the username +
domain + password.

For similar reasons NTLM also do not have any protection from mitm
session theft. Meaning that the auth exchange done to the proxy may just
as well be used by a mitm attacker to authenticate as that client to any
server in the network for any purpose.

Received on Sat Mar 06 2010 - 10:24:46 MST

This archive was generated by hypermail 2.2.0 : Sun Mar 07 2010 - 12:00:03 MST