From: Ann Barcomb Date: 10:41 on 15 Apr 2005 Subject: NTLM authentification over the internet I hate Microsoft's NTLM authentification scheme. I hate Microsoft for their refusal to stick to standards, but that's beyond the scope of this complaint. I hate it because since a recent system upgrade on our Exchange server I can no longer view my work mail from home. Probably we were using another authentification method earlier and now we are using NTLM. Safari and my version of Mozilla refuse to deal with it. I resent that the only way I can fix my problem is by upgrading to a newer Mozilla or installing Firefox. It always annoys me to have to alter my environment to deal with something that doesn't play by the rules. - Ann
From: David King Date: 16:16 on 15 Apr 2005 Subject: RE: NTLM authentification over the internet I hate that most ISPs are blocking the ports required for NTLM due to worms. I hate that "NTLM" isn't synonymous with Kerberos, despite the "Kerberos" backend. I hate that they've changed their Kerberos so much that my already Kerberised applications don't already work with it. Which brings me to another hate. Outlook talks to Exchange via RPC. Fine, fine. But if you have Outlook and want to use it through a firewall (i.e. you have sales people that work remotely), one reason you /have/ a firewall is to block RPC ports from the general populace, you have to use their newer "RPC over HTTP" proxy. Now, I'd love to complain about wrapping strange protocols in HTTP, but that's already been done. Now, some program has to pick up these HTTP packets, and distribute the resulting RPC packets to their destinations. This program is a web application for the exceedingly "secure" IIS. Since I'd like some SSL around my HTTP packets, I check the funny little box that says, "Require SSL" for this application. I tell the client side, and presto! RPC over HTTP over SSL. Or so you'd think. When the user tries to connect to the Rpc application on IIS, he has to authenticate to IIS, which is where the hate lies. If you go to a web page with a self-signed SSL certificate, you are notified that this is the case, and asked if you want to continue. But when Outlook tries to connect to a self-signed RPC over HTTP proxy, it cuts the connection. It doesn't prompt the user, it doesn't log it, it just cuts the connection. You can install the SSL certificate as "Trusted," which you'd probably want to do anyway, but you want to get it working first, right? It can "fall over" to regular RPC packets if it can get to those ports. In fact, it will do so without warning, _and will continue to report that it's using HTTPS as its connection protocol_. So if you happen to be testing the connection inside the firewall, you can't tell that it failed because it says that it's working, and that it's using HTTPS. Besides the certificate, there are a number of other things that can go "wrong" during authentication. Your password can be valid, but be about to expire, for instance. Usually, Outlook will prompt you to change it, but that's not one of the RPC calls it wraps in HTTP. Your password, username or domain can be simply incorrect. Your account can be locked out. The RPC Proxy server can be overloaded. Your local Proxy server may not like Outlook's horribly malformed HTTP packets. Fluctuations in the force. Note, however, that to the user, all of these problems look the same. You type your password, and it prompts you again. Anything between the user and the final, unsuccessful connection and authentication, look exactly the same. There is an "/rpcdiag" switch that doesn't tell you anything useful, except that Outlook has /tried/ to connect. In the case of the expiring password, the user can't change their password remotely (there is another IIS application to do this, but it's not the most secure, can't be done from Outlook, and it doesn't /tell/ you, so most users have no inkling of this). And trying to troubleshoot and/or explain these problems over the phone with a salesperson that once told me that his email was slow because it used to download at night when his computer was off and he can't seem to get that to work anymore is next to impossible. -----Original Message----- From: Ann Barcomb [mailto:ann@xxxxxxxxx.xxx] Sent: Friday, April 15, 2005 2:42 AM To: Hates software mailing list Subject: NTLM authentification over the internet I hate Microsoft's NTLM authentification scheme. I hate Microsoft for their refusal to stick to standards, but that's beyond the scope of this complaint. I hate it because since a recent system upgrade on our Exchange server I can no longer view my work mail from home. Probably we were using another authentification method earlier and now we are using NTLM. Safari and my version of Mozilla refuse to deal with it. I resent that the only way I can fix my problem is by upgrading to a newer Mozilla or installing Firefox. It always annoys me to have to alter my environment to deal with something that doesn't play by the rules. - Ann
Generated at 17:46 on 21 Sep 2006 by mariachi