• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3065
  • Last Modified:

Proxy server blocking NTLM authentication??

I am running a hosted Sharepoint site which uses NTLM authentication.  Some of my resources in France say that they are unable to reach the site although all of my US resources are.

According to their IT team they think that it is because we are using NTLM authentication for the Sharepoint site.  Has anyone heard of a firewall/proxy blocking NTLM authentication/ports?  If so, does it use different ports other than 80?

Any help would be great!
0
MARefresh
Asked:
MARefresh
  • 10
  • 7
1 Solution
 
Keith AlabasterCommented:
Are any of your French users using Apple MAC's or other non-MS operating systems?
ISA server has known limitations also (as a proxy/firewall) with Apple machines as Apple/Unix boxes etc do not support NTLM authentication.
0
 
MARefreshAuthor Commented:
They are all using Windows Server 2000+ OS'.  Any other thoughts?  Thanks for your help Keith
0
 
Keith AlabasterCommented:
Do we know what is between their systems and their Internet connection? Any filtering/proxy services?
What are you using yourself? (I know the US is working OK but i wondered if you had any logging/monitoring software you could use). What is your external router/firewall? Can you run a syslog server to watch the traffic coming in? Anything being logged in the w3srv directory where the IIS is located?

What do the french see? Do they get logon credentials?
Can they try using Firefox or something similar? May be something in the settings of their IE. Can we get a basic comparison list between US/FR?

Why should NTLM cause an issue for the French and not the US? I know this is the call you have logged :)
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
Keith AlabasterCommented:
PS  As a test, can you enable Anonymous access temporarily to see if they get in then?
0
 
MARefreshAuthor Commented:
I did and they received a Sharepoint message:

--------------------------------------------------------------------
Error:
Access denied.  You do not have permission to perform this action or access this resource.

Anonymous access requests are not enabled.

Troubleshoot issues with Windows SharePoint Services.
--------------------------------------------------------------------

Before I had enabled anonymous access on the Default Website, they just got a message 401 Access Denied.
0
 
Keith AlabasterCommented:
Are the French new to the site or has this worked for them and then suddenly stopped?
Do you have any restrictions on the Sharepoint web site such as authorised IP addresses?
Are the French added to the Sharepoint site users list?

If they are getting that message, the traffic is obviously hitting the server. Anything in the event logs?
0
 
MARefreshAuthor Commented:
Keith, thanks for the quick response.  They have never been able to access the site.  Btw, it is a new site so there hasn't been much time to test.  They are added to the servers Active Directory and have been added to the site users list as standard procedure.

Do you think it has anything to do with NTLM auth vs. Kerberos?
0
 
Keith AlabasterCommented:
Anything is possible.... One would expect the same issue though from the US; what are they doing differently?
Couple of things then:

1. I would check exactly what they have between their internal network and the Internet. If there is a form of proxy server, it could be stripping out the cedentials etc from the headers for example.

2. Are the French coming in directly across the Internet or via a VPN? If it is directly across the Internet, do they have a machine they could put directly in front of their external router (bypassing any internal restrictions). Also, if they use an external pc (at home for example), does it work then?

If it is across a VPN, is the VPN blocking and traffic?

3. Do you have any other hosted services that the French CAN connect to successfully across the same connection?
0
 
MARefreshAuthor Commented:
They are able to connect outside of their LAN, which would lead me to think that it has something to do with their proxy servers.  Do proxy servers typically "strip out credentials"?

Thanks again.
0
 
Keith AlabasterCommented:
They can do, yes but it depends on make/model/configuration/rules applied. As mentioned, ISA server is a prime example when SecureNAT connections are made.

To be frank, I don't think this is your issue at all (directly speaking) although it may be yours from a support perspective. If they have a proxy service, I would be looking at their logs and set up before going any further.
0
 
MARefreshAuthor Commented:
It appears that it was their proxy server that was stripping out the credentials.  Once I enbaled Basic Auth the problems went away and they were able to connect.
0
 
MARefreshAuthor Commented:
Are there any other means of authentication that are as strong as NTLM and better than Basic that Windows Server 2003 offers?  And if so, how must they be setup?
0
 
Keith AlabasterCommented:
Well, we hit it on the head but have come back to the original question. What is different about the French Connection? (No pun intended).

Obviously there are Certificate options but ntlm is the expected process.


0
 
MARefreshAuthor Commented:
All I know is that they are behind a proxy server.  When I enabled basic auth it seemed to work perfectly.  I'll award you the points because the situation has been resolved (although I don't like the idea of using basic auth, even though we are using SSL as well).

0
 
Keith AlabasterCommented:
I hear you. However, if they are blocking with their proxy, there is little else you can do really from your end. I agree, I wouldn't want to use basic either (although I did in places). The way we got round the problem was to bring in a Cisco VPN Concentrator and set up SSL vpn's that fronted the web sites.
0
 
Keith AlabasterCommented:
Do you want to close the call?
0
 
Keith AlabasterCommented:
Thanx :)
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 10
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now