RE: Secure site not secured
- From: "Smith, Carl" <CWSmith@xxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 20 Aug 2001 14:53:07 -0500
Answer to my own question:
http://support.microsoft.com/support/kb/articles/Q198/1/16.ASP?LN=EN-US&SD=g
n&FR=0&qry=challenge%20response%20proxy&rnk=4&src=DHCS_MSPSS_gn_SRCH&SPR=PRS
<http://support.microsoft.com/support/kb/articles/Q198/1/16.ASP?LN=EN-US&SD=
gn&FR=0&qry=challenge%20response%20proxy&rnk=4&src=DHCS_MSPSS_gn_SRCH&SPR=PR
S>
When a proxy server is inserted into the system, between the Web browser and
the Web publishing server, NTLM authentication between the client browser
and the WEB publishing server will no longer work. In fact any
authentication method relying on implicit end-to-end state (such as NTLM)
will cease working.
The HTTP 1.1 specification states that all state is hop-by-hop only. End-
to-end state can be achieved using a cookie or some other token distinct
from HTTP. The most obvious symptom of this failing is client browsers
receiving a message about authentication failure, such as "Access Denied."
Because the HTTP headers for proxy authentication are different from those
for Web server authentication, it is possible to enable Basic authentication
to the proxy and also do Basic authentication between a client browser and a
Web publishing server while connecting through a Microsoft Proxy Server
computer. Microsoft Internet Explorer supports this configuration.
In summary, Basic authentication does not require an implicit end-to-end
state, and can therefore be used through a proxy server. Windows NT
Challenge/Response authentication requires implicit end-to-end state and
will not work through a proxy server.
Thanks -- Carl W. Smith
Enterprise Internet Services/Aegon Technology Services
(319) 398-7954 - Desk
(319) 533-1714 - NexTel
cwsmith@xxxxxxxxxxxx
> -----Original Message-----
> From: Smith, Carl
> Sent: Monday, August 20, 2001 2:37 PM
> To: [ISAserver.org Discussion List]
> Subject: Secure site not secured
>
> Ok, I'm having a brain drain here trying to figure this out, however I'm
> not having a good enough answer appear to me. We have a website that is
> secure, however when accessed through the proxy server (All proxy servers,
> CSM, MS Proxy 2.0, ISA PROXY & Netscape proxy) it is not secure. The site
> is on the internal network, and when we place the site in the exception,
> everything works. However when going through the proxy servers, the site
> is not secure.
>
> The site is has a SSL certificate and uses NT challenge response for
> authentication to the site. Stumped, any ideas?
>
> Thanks -- Carl W. Smith
>
> Enterprise Internet Services/Aegon Technology Services
>
>
Other related posts:
