I have a web application that I'd like to authenticate to using pass-through NTLM for SSO. There is a problem, however, in that NTLMv2 apparently will not work in this scenario (without the application storing an identical password hash).
I enabled NTLMv1 on one client machine (Vista) using its local group policy: Computer->Windows Settings->Security Settings->Network Security: LAN Manager authentication level. I changed it to Send LM & NTLM – use NTLMv2 session security if negotiated.
This worked, and I'm able to login to the web application using NTLM. Now this application would be used by all of my client machines… so I'm wondering what the security risks are if I was push this policy out to all of them (not to the domain controller itself though)?
Best Answer
It's a really bad practice, kinda like enabling WEP to protect your WiFi because you have a Windows 98 computer that won't work with WPA2. It's 2009, Kerberos works if you really, really need SSO.
I also consider integrated authentication for websites to be a bad practice in general as it often leads to oddball issues when users have multiple accounts (we use separate user/admin accounts), requires you to muck around with IE trust zones, and requires you to use IE or fiddle with Firefox settings.
Given the trainwreck that IE has been and continues to be since 2002 or whenever IE6 came out, (ie. The out of band ActiveX patch) do you really want to commit to the platform?