RE: NTLM authentification over the internet

[prev] [thread] [next] [lurker] [Date index for 2005/04/15]

From: David King
Subject: RE: NTLM authentification over the internet
Date: 16:16 on 15 Apr 2005
	I hate that most ISPs are blocking the ports required for NTLM due to worms.
I hate that "NTLM" isn't synonymous with Kerberos, despite the "Kerberos"
backend. I hate that they've changed their Kerberos so much that my already
Kerberised applications don't already work with it. Which brings me to another
hate.

	Outlook talks to Exchange via RPC. Fine, fine. But if you have Outlook and
want to use it through a firewall (i.e. you have sales people that work
remotely), one reason you /have/ a firewall is to block RPC ports from the
general populace, you have to use their newer "RPC over HTTP" proxy. Now, I'd
love to complain about wrapping strange protocols in HTTP, but that's already
been done.
	Now, some program has to pick up these HTTP packets, and distribute the
resulting RPC packets to their destinations. This program is a web application
for the exceedingly "secure" IIS. Since I'd like some SSL around my HTTP
packets, I check the funny little box that says, "Require SSL" for this
application. I tell the client side, and presto! RPC over HTTP over SSL. Or so
you'd think.	When the user tries to connect to the Rpc application on IIS, he
has to authenticate to IIS, which is where the hate lies.

	If you go to a web page with a self-signed SSL certificate, you are notified
that this is the case, and asked if you want to continue. But when Outlook
tries to connect to a self-signed RPC over HTTP proxy, it cuts the connection.
It doesn't prompt the user, it doesn't log it, it just cuts the connection.
You can install the SSL certificate as "Trusted," which you'd probably want to
do anyway, but you want to get it working first, right?
	It can "fall over" to regular RPC packets if it can get to those ports. In
fact, it will do so without warning, _and will continue to report that it's
using HTTPS as its connection protocol_. So if you happen to be testing the
connection inside the firewall, you can't tell that it failed because it says
that it's working, and that it's using HTTPS.
	Besides the certificate, there are a number of other things that can go
"wrong" during authentication. Your password can be valid, but be about to
expire, for instance. Usually, Outlook will prompt you to change it, but
that's not one of the RPC calls it wraps in HTTP. Your password, username or
domain can be simply incorrect. Your account can be locked out. The RPC Proxy
server can be overloaded. Your local Proxy server may not like Outlook's
horribly malformed HTTP packets. Fluctuations in the force.

	Note, however, that to the user, all of these problems look the same. You
type your password, and it prompts you again. Anything between the user and
the final, unsuccessful connection and authentication, look exactly the same.
There is an "/rpcdiag" switch that doesn't tell you anything useful, except
that Outlook has /tried/ to connect.

	In the case of the expiring password, the user can't change their password
remotely (there is another IIS application to do this, but it's not the most
secure, can't be done from Outlook, and it doesn't /tell/ you, so most users
have no inkling of this).


	And trying to troubleshoot and/or explain these problems over the phone with
a salesperson that once told me that his email was slow because it used to
download at night when his computer was off and he can't seem to get that to
work anymore is next to impossible.

-----Original Message-----
From: Ann Barcomb [mailto:ann@xxxxxxxxx.xxx]
Sent: Friday, April 15, 2005 2:42 AM
To: Hates software mailing list
Subject: NTLM authentification over the internet

I hate Microsoft's NTLM authentification scheme.  I hate Microsoft for their
refusal to stick to standards, but that's beyond the scope of this complaint.

I hate it because since a recent system upgrade on our Exchange server I
can no longer view my work mail from home.  Probably we were using another
authentification method earlier and now we are using NTLM.  Safari and my
version of Mozilla refuse to deal with it.  I resent that the only way
I can fix my problem is by upgrading to a newer Mozilla or installing Firefox.

It always annoys me to have to alter my environment to deal with something
that doesn't play by the rules.

- Ann



Generated at 13:00 on 18 Apr 2005 by mariachi 0.52