"Stacking" NTLM Authentication

This question came up today (well, actually, it was about four weeks ago I started typing this, but bear with me), and it's been a little while since I've rambled about authentication protocols, so let's enjoy a nice, calm discussion on a Monday Tuesday arvo.

The request was something like:
In a Web Publishing scenario, can I do NTLM at the ISA Server and NTLM at the Exchange server too?

No

And the answer is - well, no.

There's no way for the client browser to distinguish between the ISA Server (first) saying 401 WWW-Authenticate: NTLM , and then the IIS Server saying 401 WWW-Authenticate: NTLM.

Because it appears to be a repeated authentication sequence when the connection is already authenticated from IE's perspective (and IE doesn't think it's talking to a different server), IE assumes there's been an auth failure (why else would the server challenge again?).

So, lots of authentication prompts are going to happen. The solution (as described) is not workable.

But

With ISA 2006 and its amazingly-useful-how-did-we-ever-live-without-them Authentication features:

What you could do is Integrated Windows Authentication at the Exchange server (i.e. allow Kerberos), and use protocol transition at the ISA Server, from whatever form of authentication you can accept from a client to Kerberos Credential Delegation (or even another protocol, depending on the auth method used by the listener).

So

The question itself was a "no", but the question almost always isn't actually the question. That one's for free.

 

Special note: I worked really hard on the headings for this post. I hope it was appreciated.