Does Cloudflare Support NTLM and Kerberos Authentication?

For Windows servers and .NET applications, please note that Cloudflare does not support Integrated Windows Authentication, NTLM or Kerberos.

This is because Microsoft's authentication method actually violates the HTTP/1.1 spec, which can cause a conflicts when using proxy services, such as 401 responses.

Both Integrated Windows Authentication methods assume that connections are stateful, and require that multiple round-trips complete over a single connection (Reference 1). This is a property not exhibited by proxies, and is also broken in Apache's mod_proxy (Reference 2) and Squid.

Microsoft acknowledges this limitation stating, "Integrated Windows authentication is best suited for an intranet environment" (Reference 3).

As an alternative, Cloudflare does support Basic and Digest authentication, which is supported in Active Directory for Windows 2000 and later.

Please note that Digest authentication does require the user account to be configured to store passwords as reversible hashes.

Here is a reference from Microsoft detailing NTLM authentication.

References:

  1. https://www.owasp.org/index.php/Authentication_In_IIS
  2. https://issues.apache.org/bugzilla/show_bug.cgi?id=39673
  3. http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true
  4. https://technet.microsoft.com/en-us/library/cc780170(v=ws.10).aspx
Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk