MOSS Forum

Ask Question   UnAnswered
Home » Forum » MOSS       RSS Feeds

NTLM vs Basic Authentication in MOSS

  Asked By: Bryson    Date: Jun 03    Category: MOSS    Views: 7935


If you use NTLM authentication with SSL to access an extranet SharePoint
server, can you also set the server to fall back to Basic authentication
if the client is not on a windows system?

I'm wonder what happens if I configure our newest SharePoint extranet to
use NTLM and Linux / MAC users attempt to connect to it?



13 Answers Found

Answer #1    Answered By: Yahaira Shannon     Answered On: Jun 03

I think you must mean Windows Integrated instead of NTLM, since Basic
authentication is also NTLM. But if that is the question, then yes you
can set  you Web App to use both Windows Integrated and Basic with SSL.
The browser will default to the one it supports. However, there is no
real need to use SSL with Windows Integrated authentication  since it is
already encrypted. Also, support for Windows Integrated is dependent on
the browser being used, not the operating system. The latest safari
browser for the MAC supports Windows Integrated authentication. I'm not
sure about browsers for Linux.

Answer #2    Answered By: Doris Leach     Answered On: Jun 03

Basic != NTLM - at the HTTP level they are a different implementation
and not all firewalls/proxies support NTLM while pretty much everything
does Basic.

The answer is yes and no to Gerhard's original question. The server  can
be configured to fall  back to Basic from NTLM, but there is at least one
issue with this, as Office clients don't always do this fallback

Answer #3    Answered By: Sumitra 2004     Answered On: Jun 03


If we use WIA w/ NTLM, would that prevent our users  from being asked to
authenticate each time they access  an Office document? (...over the

Answer #4    Answered By: Bhairavi Damle     Answered On: Jun 03

That actually depends on a number of things.

1) Are the workstations that they are working from members of the
same domain (or a trusted domain) as the SharePoint server?

2) Have the workstation browser settings been setup to pass
credentials for the Trusted Sites security zone and has the SharePoint
site been added to that zone?

3) Is your Firewall setup to handle WIA(NTLM)? It requires a
number of ports to be opened since WIA doesn't use just port 80.

If the answer to all of the above is 'yes' then it should work. But the
answer to one or more of those is usually 'No'. WIA still asks for
credentials, it just passes them in the background if the existing
credentials will work.

Answer #5    Answered By: Leeann Hull     Answered On: Jun 03

I guess that means that you are stuck if you only want port 80 or
443 to be used to access  your MOSS extranet  from outside the firewall?

[AKA, that you will have to use Basic Authentication over SSL and that
users will have to authenticate each time they hit an Office document
from a PC not a member of the AD Domain...]

Answer #6    Answered By: Vaasu Radhakrishna     Answered On: Jun 03

That is correct, with one minor exception. You can also use Advanced
Digest Authentication if you only want one port open, but the result is
still the same. Only Windows Integrated will automatically

Answer #7    Answered By: Brinda Bca     Answered On: Jun 03

So, if I turn on Advanced Digest Authentication in IIS 6 and then use
WIA (non-Kerberos), I can have external users  hit the MOSS extranet  IF
they meet the 3 requirements below?

[Part of the same AD domains the MOSS server, added to the trusted
sites, and the firewall passes the port 80 or 443 traffic...]

Just to make sure I'm correct: If the external PCs are not part of the
domain then users are still asked for credentials each time they hit an
Office document? ...or is ADA an actual work-around for that?

(Sorry for the questions, but I'm trying to line up my ducks before I
start really prototyping the system.)

Answer #8    Answered By: Sheryl Velez     Answered On: Jun 03

Sorry, I left you with the wrong impression. Advanced Digest
Authentication is another alternative to WIA just like Basic is.
External users  will be prompted in Advanced Digest just like Basic.

Answer #9    Answered By: Alexandra Lewis     Answered On: Jun 03

1. If you are using SSL, you do not require any additional ports
for NTLM

2. Yes, if you turn on NTLM and Basic, IIS will try NTLM first,
and basic  second

3. Yes, if your users  put the SharePoint server  2007 server in the
IE 'trusted sites' or other zone, then turn on automatic logon with
current username and password, then they should not get a repeated
pop-up windows  until their password expires.

Answer #10    Answered By: Himanta Barthakur     Answered On: Jun 03

With the caveat I mentioned earlier, mainly that Office clients will not
actually do #2 and will instead error out after NTLM fails.

Answer #11    Answered By: Mansi Revenkar     Answered On: Jun 03

The only reason that I know of for NTLM to fail for the Office apps is if
there is a proxy in the way. MS says " NTLM can get past a firewall, but is
generally stopped by proxies because NTLM is connection-based, and proxies
do not necessarily keep connections established."


Are there other scenarios in which NTLM will fail for Office apps?

Answer #12    Answered By: Lizette Mcconnell     Answered On: Jun 03

I was talking specifically about the NTLM -> Basic fallback scenario
being discussed, not about a general NTLM failure. In particular,
Office clients don't do this correctly unless this was addressed in 2007
SP1 and I missed it.

Didn't find what you were looking for? Find more on NTLM vs Basic Authentication in MOSS Or get search suggestion and latest updates.