Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] RE: Dumb NTLM+IWA question

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] RE: Dumb NTLM+IWA question

Chronological Thread 
  • From: Eric Goodman <>
  • To: "" <>
  • Subject: [AD-Assurance] RE: Dumb NTLM+IWA question
  • Date: Tue, 24 Jun 2014 18:44:22 +0000
  • Accept-language: en-US

Clearly if the user enters a username/password directly into an application, then said application will have direct access to the NTLM hash (by directly creating it from the plaintext). When IWA is in use it would seem to be a security risk if an arbitrary app could just grab it and start authenticating itself as the user, but I’m just not knowledgeable enough to speak to whether that’s really what happens.


This is all of interest to me because of a vendor that has all sorts of “interesting” SSO support options that rely on NTLM and IWA (one of which is SAML ECP support authenticated by NTLM of all things). Some clients are web clients and some are “fat” applications, so whether the app vs. the OS generate the challenges with IWA is actually relevant to whether the vendor’s applications (where “the vendor” != Microsoft) will have access to the user’s password in some of these cases.

[BA] Generally, this kind of configuration means the client sends the password in clear text to a proxy (over a secure channel). The proxy then handles the authentication protocols that the clients can’t support. I know that’s how Microsoft implemented Shib support for Live@EDU many years ago. In some cases the “proxy” is part of the application server itself.


Right; I agree this that is common (see every non-GSS implementation of Kerberos since I first saw Kerberos for example :) ) since this is leveraging the desktop password (IWA), and they keep telling me their using NTLM, I’m presuming that in this case the desktop client is not (able to be) auto-sending the cleartext password to the server.


I’ve asked them for a clearer diagram of the flow of things. However we slice things, I’m not hot on turning on NTLM support at the IdP, even if we could limit it to ECP (and I’m not sure we can), since that’s something we explicitly recommend against in the Cookbook [1].


--- Eric



[1] Mandatory periodic reference to the Cookbook to justify continued use of this list for this conversation. :)


Archive powered by MHonArc 2.6.16.

Top of Page