fre 2010-03-05 klockan 20:44 +0000 skrev Markus Moeller: > I don't understand this part. Usually the kdc is on AD so how can NTLM work > and Kerberos not ?
The NTLM client just needs the local computer configuration + credentials entered interactively by the user. All communication with the AD is indirect via the proxy. The client do not need any form of ticked before trying to authenticate via NTLM, just the username + domain + password. For similar reasons NTLM also do not have any protection from mitm session theft. Meaning that the auth exchange done to the proxy may just as well be used by a mitm attacker to authenticate as that client to any server in the network for any purpose. Regards Henrik
