Solved

Cannot understand Microsoft's Recommendation for Outlook Anywhere - "NTLM authentication over Secure Sockets Layer (SSL)"

Posted on 2010-09-01
8
1,143 Views
Last Modified: 2012-06-21
here is an Microsoft statement which I don't understand:
"If you are using a firewall that does not handle NTLM, you will have to use Basic authentication over SSL"

Question: Why the firewall needs to handle NTLM? it's just an authentication method, not a netowrk transfer protocal like RPC or SMTP with a tcp port binding to. Shouldn’t Firewall handle SSL be sufficient? SSL encrypted the traffic in SSL tunnel from CAS server end to Outlook client end, shouldn’t it pass through the firewall if the firewall has been told to pass SSL traffic? why has anything to do with NTLM? I am confused, Please help.

thanks in advance,
Jerry
0
Comment
Question by:JerryJay
  • 4
  • 3
8 Comments
 
LVL 12

Accepted Solution

by:
mlongoh earned 400 total points
Comment Utility
Microsoft offers a Firewall product ISA which, of course, supports NTLM authenticaion - which is part of their reverse proxy feature.  Thus the statement.
0
 
LVL 12

Assisted Solution

by:mlongoh
mlongoh earned 400 total points
Comment Utility
The firewall doesn't need to handle NTLM, and in most cases a true firewall won't.  Thus basic authentication which is encrypted in an SSL tunnel is the alternative which really is most broadly used.  I'm assuming that your referencing Outlook and Exchange's ability to communicate over SSL - it used to be called RPC over HTTPS.
0
 
LVL 11

Assisted Solution

by:Coast-IT
Coast-IT earned 100 total points
Comment Utility
mlongohs statement is even more confuusing ;-)

Most firewalls don't support NTLM, yet I have managed to configure RPC over HTTPS on more than several occasions through lots of different firewalls, such as ISA, Netgear, Cisco, Draytek, Sonicwall.

So you are right, the comment doesn't make sense.

All I can say is NTLM authenication works through most if not all firewalls (unless you block it somehow using port filtering on ISA for instance), even though the firewalls don't support NTLM..

Weird?
0
 
LVL 12

Assisted Solution

by:mlongoh
mlongoh earned 400 total points
Comment Utility
Coast-IT I'm saying that the statement implies that a firewall should be able to handle NTLM authentication when in reality most do not, but Microsoft's ISA product does.  The company making the statement is referencing their firewall product's capability as if it's common place.

However in reality (not Microsoft's marketing perception), most of the time RPC over HTTPS is the preferred and implemented approach.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:JerryJay
Comment Utility
thank you all, very helpful info provided.
0
 

Author Comment

by:JerryJay
Comment Utility
it NTLM has anything to do with firewall, then there must be a TCP/UDP port associating with it. if there is, what is it?

thanks,
Jerry
0
 
LVL 12

Assisted Solution

by:mlongoh
mlongoh earned 400 total points
Comment Utility
By default NTLM authentication uses dynamic ports, so to allow authentication traffic to pass through would require some registry changes on the "servers" to force the ports to be static.

That aside, my belief is still that the statement in question refers to MS ISA's ability to do NTLM authentication and then pass that authentication back through to the server whose services are being requested.  For example, in an Exchange 2003 environment, they introduced the concept of using Outlook to access the server through the Internet via an SSL tunnel - this works great.  However, with ISA, you don't have to go that route.  If you wanted to (I would never recommend it), you could configure an ISA server to receive the unencrypted RPC traffic and send it inside to the Exchange server.  In this scenario, the ISA server can prompt for and handle NTLM authentication (it's not routing the authentication through, it's handling the authentication task before routing the RPC traffic through).

So, when the statement was written by Microsoft, I think they were referencing their firewall product's unique ability to handle NTLM authentication, or more to the point every other firewall's "inability" to do it.

Without the ability to handle NTLM authentication (not authentication traffic but the actual task of authentication), then you should use SSL.

That's my interpretation.
0
 

Author Closing Comment

by:JerryJay
Comment Utility
Thank you all, very helpful info.

Jerry
0

Featured Post

Want to promote your upcoming event?

Is your company attending an event or exhibiting at a trade show soon? Are you speaking at a conference? Spread the word by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now