Configuring NTLM Authentication

NTLM is a proprietary Microsoft protocol suite that can be used both for HTTP-based authentication and non-HTTP-based authentication. It provides similar capabilities as Digest authentication, but predated the development of Digest authentication. Recognizing the need for a more robust authentication mechanism than Basic authentication and with the necessary security infrastructure already existing in Windows, Microsoft adapted both Internet Explorer and IIS to support NTLM-based authentication (also known as NT Challenge/Response Authentication in IIS 4.0).

Despite being a proprietary Microsoft protocol, most modern browsers in addition to Internet Explorer v3 and higher (such as Chrome, Mozilla/Firefox, and Opera) support NTLM-based authentication. When used to authenticate clients over HTTP, NTLM authentication is a connection-oriented mechanism. This requires that the HTTP connection be maintained through the use of HTTP keep-alive functionality. If the server or browser is configured not to use keep-alives, then NTLM authentication will fail. For this reason, it is sometimes said that NTLM authentication does not work through forward proxy servers, because forward proxy servers typically do not permit an end-to-end persistent HTTP connection that can be reused by the end-client for subsequent HTTP requests. In the event that clients are behind a forward proxy server, it must be NTLM-aware in order for NTLM authentication to work.

NTLM authentication ...