Linux Client Software To Enable Integrated Windows Authentication?

Hello all...

Apparently, Microsoft's Proxy Server incorporates a feature called
Integrated Windows Authentication (IWA), and if this feature is enabled
(instead of the Basic Authentication feature), only Microsoft products
can connect through the firewall.

If I attempt to connect through an MS Proxy Server running Integrated
Windows Authentication with my Linux machine my connection fails. From
what I've been reading it's because my Linux computer can not use IWA
authentication.

Now, if the proxy server is set to Basic Authentication my Linux PC has
no problem making connections through the firewall. The problem is that
I'm in a situation where the administrator of the proxy server will not
set the server to basic--according to "policy" the server must be set to
IWA.

So, I'm wondering if anyone else has run into this issue, and if so,
what are the possible workarounds? Are there any client components that
I can install on my Linux box that will allow it to use IWA?

Any information would be appreciated.

Regards,

Richard Huelbig

Richard Huelbig wrote:
> Hello all...
>
> Apparently, Microsoft's Proxy Server incorporates a feature called
> Integrated Windows Authentication (IWA), and if this feature is
enabled
> (instead of the Basic Authentication feature), only Microsoft
products
> can connect through the firewall.
>
> If I attempt to connect through an MS Proxy Server running Integrated

> Windows Authentication with my Linux machine my connection fails.
From
> what I've been reading it's because my Linux computer can not use IWA

> authentication.

It's not an OS issue -- it's a web browser issue. Only IE uses this
"secure" authentication mechanism. It's just old LanMan hashes
(together, maybe with Kerberos) being sent on the wire via implicit
challenge/response or a dialog asking user to enter info. It's a
"security" joke.

> Now, if the proxy server is set to Basic Authentication my Linux PC
has
> no problem making connections through the firewall.

Because it's part of the http protocol itself.

> The problem is that
> I'm in a situation where the administrator of the proxy server will
not
> set the server to basic--according to "policy" the server must be set
to
> IWA.

Then it sounds like you are attempting to connect to a server that
requires this form of authentication, ie., an intranet server on your
lan, I hope.

> So, I'm wondering if anyone else has run into this issue, and if so,
> what are the possible workarounds? Are there any client components
that
> I can install on my Linux box that will allow it to use IWA?

>From Bill's own hired pens:
Although integrated Windows authentication is secure, it does have two
limitations.

Only Microsoft Internet Explorer, version 2.0 or later, supports this
authentication method.

Integrated Windows authentication does not work over HTTP Proxy
connections.

Therefore, integrated Windows authentication is best suited for an
intranet environment, where both user and Web server computers are in
the same domain, and where administrators can ensure that every user
has Microsoft Internet Explorer, version 2.0 or later.
[end quote]
http://www.microsoft.com/resources/d...intwinauth.asp

Ie., (no pun) it's a way to "break" all other browsers on the lan.
See, MS isn't really an irresponsible monopoly -- the US courts swear
to it.

If your admin is applying this to all _outgoing_ web connections, then
he's a duffus or a tyrant. In fact, not even all MS IE versions work
properly in that scenario.

If it's just applied in front of a "public" web server then he's just
dumb and he's turning away/chasing away customers.

If it's an in-house server, then he's saddly mistaken about what
security it buys him. The LanMan hash is always passed on the wire and
it is script kiddie poo-poo to break. Hardly even makes a mess in
their shorts.

Mind you, these are _user_ authentication credentials (any/all users,
even admins and COs) being passed on the wire just so the lan clients
can access the web. Hey, now I call that _real_ security ;-0

re: your situation try here for a fun read and solution (hint -
Mozilla):
http://toastytech.com/evil/msproxy
http://www.geocities.com/rozmanov/ntlm/
http://apserver.sourceforge.net/
http://freshmeat.net/projects/ntlmaps/

http://www.mozilla.org/releases/mozilla1.6/README.html << search ntlm
Not so sneaky as aps server though, which can work with wget
hth,
prg
email above disabled