Basic Authentication vs NTLM

Question

Hi,
is there anybody out there who would prefer BASIC-AUTH over NTLM?
What would you tell a customer why to swap to NTLM?
The background is that a lot of UTM customers use BASIC and XG doesnt runs this anymore. Is there a alternative?

This thread was automatically locked due to age.

Michael Dunn · Accepted Answer

I confirmed that in XG the NTLM cache is 4 minutes. 
 In standard mode if I recall correctly the browser will continue to send NTLM type 3 messages (SessionIds) as part of the header on every request (because the browser thinks it is talking to a proxy server). 
 In transparent mode, the browser will not send any authentication information after it does the initial auth (because the browser thinks it is talking to a real website) until auth is re-requested. 
 To complicate matters, though, we actually send "WWW-Authenticate: Negotiate" which allows for both Kerberos and NTLM. Windows computers in a domain will prefer Kerberos. The result however is the same (though I'm not sure if Kerberos uses SessionsIds). In XG (and with a lot of the internet) when we say "NTLM" it is shorthand for "Negotiate=NTLM/Kerberos". 
 
 If you want greater detail on how NTLM works you can google "ntlm type 1 2 3" and "how does kerberos work in http". There is nothing special about Sophos's implementation.

lferrara · Answer

Mr. Roboto, 
 what do you mean for basic authetication? I guess is the Captive Portal, where the unauthenticated user will be prompted with a popup to authenticate. 
 NTLM is a passive authentication method for the user. Authentication are passed by the browser to XG trasparently. 
 Regards

sachingurung · Answer

Hi, 
 Welcome to the Community Mr.Roboto. Reading through basic authentication, I see you a web based HTTP user agent. There is a useful YouTube link here describing about the feature and configurations. 
 Hope that helps.

Mr.Roboto · Answer

Get it :) 
 Thank you so much :)