Re: LOGON_USER lifetime using NTLM

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 02/09/05 

Date: Wed, 9 Feb 2005 02:20:57 -0800

NTLM authentication persists as long as the original authenticated
connection between the client and server exists and the browser uses it to
send requests to the server.

In general, the browser will re-negotiate the authentication on its own
(including NTLM challenge/response) if it is configured to do so -- so the
user does not need to re-authenticate to a given website after the first
login.

Your problem sounds like that the web browser is UNABLE to automatically
re-authenticate -- either because the browser is configured to not do this,
or you have some intervening proxy that is unfriendly to NTLM that prevents
this, or you've configured the server to not allow keep-alives which
destroys NTLM. 

-- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Conrad Chan" <ConradChan@discussions.microsoft.com> wrote in message
news:114A9AEE-F7CB-48AB-9235-6FF8EB6F8D6F@microsoft.com...
The login session using NTLM seems like will be timeout as quick as 3min.  I
built a sample ASP.NET Web app using Windows authentication.  I can login no
problem.  However if I simply let the browser window idle for 3min I realize
the NTLM challenge/response will kick in again.
Can anyone explain to me if that is the default behavior?  Does that mean
that my customers have to re-type their username/password after a couple
mins
if they are not auto-authenticated?
Thanks for attention
Conrad

Relevant Pages

  • Re: Integrated Windows Authentication Timeout?
    ... Do you see anything different for the NTLM requests? ... You might consider enabling protocol transition authentication since you are ... Joe Kaplan-MS MVP Directory Services Programming ... server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Integrated Windows Authentication Timeout?
    ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Is NTLM Authentication very expensive? (for bandwidth)
    ... When Internet Explorer has established a connection with the server by ... especially not when you use NTLM authentication. ... NTLM uses a permanant channel. ... > server sends 3827 bytes to the client. ...
    (microsoft.public.inetserver.iis.security)
  • SSPI/NTLM between native code and managed code fails for Windows 2
    ... I have an appliction that uses C++/CLI code for the client side of an NTLM ... The server and client code run on different machines and use TCP/IP to throw ... the "token" back and forth until authentication occurs. ...
    (microsoft.public.platformsdk.security)
  • Re: Capturing Windows Login Name
    ... You just need to configure your Web server to require Windows ... authentication, and you get the current logged user logon name using ... Internet Explorer and Firefox support NTLM. ... The client (the browser) does not ...
    (comp.lang.php)