Does Cloudflare Support NTLM and Kerberos Authentication?

For Windows servers and .NET applications, please note that Cloudflare does not support Integrated Windows Authentication, NTLM or Kerberos.

This is because Microsoft's authentication method actually violates the HTTP/1.1 spec, which can cause a conflicts when using proxy services, such as 401 responses.

Both Integrated Windows Authentication methods assume that connections are stateful, and require that multiple round-trips complete over a single connection (Reference 1). This is a property not exhibited by proxies, and is also broken in Apache's mod_proxy (Reference 2) and Squid.

Microsoft acknowledges this limitation stating, "Integrated Windows authentication is best suited for an intranet environment" (Reference 3).

As an alternative, Cloudflare does support Basic and Digest authentication, which is supported in Active Directory for Windows 2000 and later.

Please note that Digest authentication does require the user account to be configured to store passwords as reversible hashes.

Here is a reference from Microsoft detailing NTLM authentication.

References:

  1. https://www.owasp.org/index.php/Authentication_In_IIS
  2. https://issues.apache.org/bugzilla/show_bug.cgi?id=39673
  3. http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true
  4. https://technet.microsoft.com/en-us/library/cc780170(v=ws.10).aspx
Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk