Re: Micro$oft Authentication

From: Jason Haar <>
Date: Mon, 20 Apr 1998 14:22:08 +1200

> I believe if you use an OS with PAM capabilities (Linux or Solaris), you
> can use a PAM module which will authenticate off an NT server. I've seen

Won't do I'm afraid. Web-based NTLM authentication means "transparent"
authentication (under IE 3.0+). When IE sees that it's been asked to do NTLM
authentication, it sends its cached usercode/password pair (suitably encrypted
- this is no BASIC scheme!) without even mentioning it to the user. It can do
this as the user authenticated themselves on the NT domain when they logged
into their workstation - this cached information is available from then on.

I've gone as far as getting the squid proxy-auth patch to call the likes of
smbclient (works well - as it caches too), but it still only supports BASIC
authentication - i.e. passwords in the clear/etc.

I'd love to see a "true" NTLM patch for Apache/Squid - but the encryption
coding required probably puts most people off...

Jason Haar
Unix/Network Specialist, Trimble NZ
Phone: +64 3 3391 377 Fax: +64 3 3391 417
Received on Sun Apr 19 1998 - 19:34:13 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:39:45 MST