This article was previously published under Q183545
This article has been archived. It is offered "as is" and will no longer be updated.
When a Microsoft Internet Explorer client connects to a Microsoft InternetInformation Server (IIS) using NTLM authentication, the browser caches thesecurity token. All subsequent connections to the server by this clientthat request an NTLM response are responded to with the information that iscurrently cached.
Connections using Basic authentication are similar; however, only theusername and password are cached. There is no checking of Windows NTcredentials.When you attempt to connect to a remote mailbox during this session,authentication must be passed again; however, authentication is passed from thecache and is valid because it is only a username and password, thus allowingaccess.
With NTLM, the client connects to the IIS computer and gains access to theLogon.asp page by generating a hashed password and obtaining a securitytoken. This security token is only valid for that connection to that IIScomputer. When you attempt to open a remote mailbox and you are promptedfor logon credentials, the browser sends the security token that wascached, which being only valid for the connection to the IIS computer itself,results in denied access.
This is called a double-hop impersonation. NTLM does not support doublehop,because security tokens and hashes are only valid for the computer on which theyare generated.