What is the difference between NTLM and LDAP authentication?
Cisco Web Security Appliance (WSA), all versions of AsyncOS
Authentication with the WSA can be broken down into the following possibilities:
Client > WSA
WSA > Authentication server
Authentication server type
Active Directory server using LDAP
NTLM Basic authentication
Active Directory server (NTLM Basic)
Active Directory server (NTLMSSP)
Note: NTLMSSP is commonly referred to as NTLM.
The noteworthy difference between Basic authentication and NTLM authentication are below.
The client will always be prompted for credentials. After credentials have been entered, browsers will typically offer a check box to remember the credentials provided. Any time the browser is closed, the client will prompt again or send the previously remembered credentials again.
Note: NTLM Basic utilizes Basic authentication from the client and thus will have the same properties.
The client will transparently authenticate using its Windows logon credentials.
The only cases in which the client will prompt for credentials are if the Windows credentials first fail (this will occur if the client is logged in locally to the computer and not to the domain used for authentication) or if the client does not trust the WSA.
Credentials are sent insecurely using plain text. A simple packet capture between the client and the WSA will reveal the user's username AND password.
Credentials are sent securely via a three-way handshake (digest style authentication). The password is NEVER sent across the wire.
The NTLM process looks as such:
The Client sends an NTLM Negotiate packet. This tells the WSA that the client intends to do NTLM authentication.
The WSA sends an NTLM Challenge string to the client.
The client uses an algorithm based on its password to modify the challenge and sends the challenge response to the WSA.
The AD server then verifies that the client is using the correct password based on whether or not it modified the challenge string appropriately.