What is the difference between NTLM and LDAP authentication?

Question

What is the difference between NTLM and LDAP authentication?

Environment

Cisco Web Security Appliance (WSA), all versions of AsyncOS

Authentication with the WSA can be broken down into the following possibilities:

Note: NTLMSSP is commonly referred to as NTLM.

The noteworthy difference between Basic authentication and NTLM authentication are below.

Client Experience

Basic

The client will always be prompted for credentials. After credentials have been entered, browsers will typically offer a check box to remember the credentials provided. Any time the browser is closed, the client will prompt again or send the previously remembered credentials again.

Note: NTLM Basic utilizes Basic authentication from the client and thus will have the same properties.

NTLM (SSP)

• The client will transparently authenticate using its Windows logon credentials.
• The only cases in which the client will prompt for credentials are if the Windows credentials first fail (this will occur if the client is logged in locally to the computer and not to the domain used for authentication) or if the client does not trust the WSA.

Security

Basic

Credentials are sent insecurely using plain text. A simple packet capture between the client and the WSA will reveal the user's username AND password.

NTLM (SSP)

Credentials are sent securely via a three-way handshake (digest style authentication). The password is NEVER sent across the wire.

The NTLM process looks as such:

1. The Client sends an NTLM Negotiate packet. This tells the WSA that the client intends to do NTLM authentication.
2. The WSA sends an NTLM Challenge string to the client.
3. The client uses an algorithm based on its password to modify the challenge and sends the challenge response to the WSA.
4. The AD server then verifies that the client is using the correct password based on whether or not it modified the challenge string appropriately.