NTLM Authentication and TDV
NTLM authentication uses a challenge-response sequence which allows clients to prove their identities without sending a password to the server. It consists of three messages, commonly referred to as Type 1 (request), Type 2 (challenge) and Type 3 (authentication). It works like this:
1. The client sends a Type 1 message to the server. This contains a list of features supported by the client and requested of the server.
2. The server responds with a Type 2 message. This contains a list of features supported and agreed on by the server. Most importantly, it contains a challenge generated by the server.
3. The client replies to the challenge with a Type 3 message. This contains several pieces of information about the client, including the domain and user name of the client user. It also contains one or more responses to the Type 2 challenge.
The responses in the Type 3 message are the most critical piece, because they prove to the server that the client user has knowledge of the account password.
Limitations When Using NTLM with TDV
There are a few limitations when using NTLM with TDV:
Category | Description |
Domain Support | NTLM cannot authenticate users from the composite domain. For clients to authenticate successfully when accessing TDV through NTLM, an LDAP domain must be configured for the Windows domain being used, and the TDV must be pointed at this LDAP domain. |
Proxy Support | Because NTLM is connection-oriented, it cannot support proxies. TDV is unable to support proxies when using NTLM authentication. |
Pass-Through Authentication | Pass-through authentication (delegation) is not possible, because the user does not provide a password, which can be used to construct an NTLM Type 3 message. |