Mailing-List: contact new-httpd-help@apache.org; run by ezmlm
Precedence: bulk
Reply-To: new-httpd@apache.org
From: Tim  Costello <timcostello@ozemail.com.au>
Message-Id: <200005022304.JAA24275@fep7.mail.ozemail.net>
To: new-httpd@apache.org
CC: 
Subject: Re: Announce: NTLM authentication module
Date: Wed, May 3 2000 10:04:28 GMT+1100
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

On Wednesday, 3 May 2000, Bill Stoddard wrote:
> Isn't challenge/response somewhat like digest authentication?  How prevalent is it used?
> Does it work with browsers other than IE?

Somewhat. An excellent resource on NTLM authentication can be found at
http://www.innovation.ch/java/ntlm.html. Bits of this discussion also happened
before in November 1999 - take a look in the new-httpd archive for 199911, and
follows the thread with subject 
"Kerberos authentication and authentication (proxy ticket forwarding)". 

The issues raised were:
    * NTLM authentication breaks HTTP (connection based auth rather than
      request based)
    * As a consequence, it would be difficult to write an NTLM auth module
    * NTLM is not an open, interoperable standard.

>From what I've seen, NTLM is quite widely used in corporate intranets where
everyone uses (or the only supported browser is) MSIE, and the intranet is
served using IIS. 

I have not seen a browser other than IE that does NTLM, but the facility is 
available to non-Microsoft (but still Windows) applications if you use the 
WinINet API to do HTTP stuff. Alternatively, NTLM is one of the packages 
generally accessible through the Microsoft Security Support Provider Interface 
(SSPI). 

Having said all that, I can still see considerable demand for such a module. 

Tim

This message was sent through MyMail http://www.mymail.com.au