KnowledgeBase Archive

An Archive of Early Microsoft KnowledgeBase Articles

View on GitHub

Q183545: XWEB: NTLM Authentication Fails Between Two Computers with OWA

Article: Q183545
Product(s): Microsoft Exchange
Version(s): WINDOWS:5.0
Operating System(s): 
Keyword(s): kbusage
Last Modified: 16-DEC-1999

-------------------------------------------------------------------------------
The information in this article applies to:

- Microsoft Exchange Active Server Components, version 5.0 
-------------------------------------------------------------------------------

SUMMARY
=======

When a Microsoft Internet Explorer client connects to a Microsoft Internet
Information Server (IIS) using NTLM authentication, the browser caches the
security token. All subsequent connections to the server by this client that
request an NTLM response are responded to with the information that is currently
cached.

Connections using Basic authentication are similar; however, only the username
and password are cached. There is no checking of Windows NT credentials. When
you attempt to connect to a remote mailbox during this session, authentication
must be passed again; however, authentication is passed from the cache and is
valid because it is only a username and password, thus allowing access.

With NTLM, the client connects to the IIS computer and gains access to the
Logon.asp page by generating a hashed password and obtaining a security token.
This security token is only valid for that connection to that IIS computer. When
you attempt to open a remote mailbox and you are prompted for logon credentials,
the browser sends the security token that was cached, which being only valid for
the connection to the IIS computer itself, results in denied access.

This is called a double-hop impersonation. NTLM does not support double hop,
because security tokens and hashes are only valid for the computer on which they
are generated.

Additional query words:

======================================================================
Keywords          : kbusage 
Technology        : kbZNotKeyword6 kbExchangeSearch kbZNotKeyword2 kbExchangeActiveServComp500
Version           : WINDOWS:5.0
Issue type        : kbinfo

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.