Proxy Server Authentication Vs ISA Server

  • Thread starter Thread starter Will
  • Start date Start date
W

Will

Is Microsoft Proxy Server 2.0 only able to use NTLM for
authentication? Does ISA Server accept Kerberos tickets from
users instead of using NTLM 1 or 2?

I'm interested in shutting off all forms of NTLM on our network
and I'm trying to identify which products are hard-wired to
require NTLM 1 or NTLM2.
 
Hi Will,
You can't shut off NTLM on a Windows network.
HTH,
--
Tom
Get your questions answered at:
http://forums.isaserver.org
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
FACT: Firewalls need at least two interfaces -- put a second NIC in that ISA
firewall!


: Is Microsoft Proxy Server 2.0 only able to use NTLM for
: authentication? Does ISA Server accept Kerberos tickets from
: users instead of using NTLM 1 or 2?
:
: I'm interested in shutting off all forms of NTLM on our network
: and I'm trying to identify which products are hard-wired to
: require NTLM 1 or NTLM2.
:
: --
: Will
: Internet: westes at earthbroadcast.com
:
:
 
You can't shut off NTLM2 I guess, but you can definitely shut off
NTLM1. Under Group Policy, Security Options, there is an
option named LAN Manager Authentication Level, and the most
stringent option here is something like:

"Send NTLMv2 Response Only / refuse LM & NTLM"

So to reword my question into these questions:

1) Does Proxy Server require NTLM1 responses? Under what
conditions can Proxy Server 2.0 use Kerberos for authentication?

2) Does ISA Server improve on this in any way, and specifically
can it be forced to use only Kerberos for authentication?
 
Will said:
1) Does Proxy Server require NTLM1 responses?
Click to expand...

Don't know, but I don't think it cares. I think that might be an OS thing
and not a Proxy2 thing.
Under what
conditions can Proxy Server 2.0 use Kerberos for authentication?
Click to expand...

It doens't. Proxy is NT4.0 technology.
 
How do you disable anonymous and basic for proxy server?

Will the server port publishing capability that lets you expose
servers behind the proxy to the outside work with NTLM only?
 
Will said:
How do you disable anonymous and basic for proxy server?
Click to expand...

The Web Proxy Service goes by the Authentication settings within the Default
Website of IIS.
Will the server port publishing capability that lets you expose
servers behind the proxy to the outside work with NTLM only?
Click to expand...

I'm not sure. I think it does, but I'm not sure.
 
Hi Will,
That is true, but you said shut off NTLM. :)
Thanks!
--
Tom
Get your questions answered at:
http://forums.isaserver.org
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
FACT: Firewalls need at least two interfaces -- put a second NIC in that ISA
firewall!


: You can't shut off NTLM2 I guess, but you can definitely shut off
: NTLM1. Under Group Policy, Security Options, there is an
: option named LAN Manager Authentication Level, and the most
: stringent option here is something like:
:
: "Send NTLMv2 Response Only / refuse LM & NTLM"
:
: So to reword my question into these questions:
:
: 1) Does Proxy Server require NTLM1 responses? Under what
: conditions can Proxy Server 2.0 use Kerberos for authentication?
:
: 2) Does ISA Server improve on this in any way, and specifically
: can it be forced to use only Kerberos for authentication?
:
: --
: Will
: Internet: westes at earthbroadcast.com
:
:
: : > You can't shut off NTLM on a Windows network.
: > --
: > Tom
:
:
 
Back
Top