Re: "negotiate" auth with fallback to other schemes

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sat, 6 Mar 2010 22:45:12 -0000

----- Original Message -----
From: "Henrik Nordstrom" <henrik_at_henriknordstrom.net>
To: "Markus Moeller" <huaraz_at_moeller.plus.com>
Cc: <squid-dev_at_squid-cache.org>
Sent: Saturday, March 06, 2010 10:26 AM
Subject: Re: "negotiate" auth with fallback to other schemes

> fre 2010-03-05 klockan 20:44 +0000 skrev Markus Moeller:
>
>> I don't understand this part. Usually the kdc is on AD so how can NTLM
>> work
>> and Kerberos not ?
>
> The NTLM client just needs the local computer configuration +
> credentials entered interactively by the user. All communication with
> the AD is indirect via the proxy. The client do not need any form of
> ticked before trying to authenticate via NTLM, just the username +
> domain + password.
>
> For similar reasons NTLM also do not have any protection from mitm
> session theft. Meaning that the auth exchange done to the proxy may just
> as well be used by a mitm attacker to authenticate as that client to any
> server in the network for any purpose.

So it makes the statement "Kerberos may fail just because the client
has no connectivity with the KDC, and in this case NTLM could be a
useful second choice" false. Since in the case of NTLM will fail too as
the kdc (AD) is unavailable

>
> Regards
> Henrik
>
Regards
Markus
Received on Sat Mar 06 2010 - 22:57:06 MST

This archive was generated by hypermail 2.2.0 : Sun Mar 07 2010 - 12:00:03 MST