All client browsers repeatedly asking for NTLM authentication when running through local proxy server

All client browsers repeatedly asking for NTLM authentication when running through local proxy server.

When pointing browsers through the local proxy to the internet, some but not all clients are being repeatedley prompted to authenticate to the proxy server. I have inspected the headers using firefox live headers as well as fiddler, and in all cases the authentication prompts happen when requesting SSL resources.

an example of this would be as follows:

GET http://gmail.google.com/mail/ HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-
flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-
xpsdocument, application/xaml+xml, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 
1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: gmail.google.com


GET http://gmail.google.com/mail/ HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-
flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-
xpsdocument, application/xaml+xml, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 
1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: gmail.google.com
Proxy-Authorization: NTLM 
TlRMTVNTUAABAAAAB7IIogkACQAvAAAABwAHACgAAAAFASgKAAAAD1dJTlhQMUdGTEFHU0hJUDc=


GET http://gmail.google.com/mail/ HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-
flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-
xpsdocument, application/xaml+xml, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 
1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Proxy-Authorization: NTLM 
TlRMTVNTUAADA (more stuff goes here I cut it short)
Host: gmail.google.com

At this point the username and password prompt has appeared in the browser, it does not matter what is typed into this box, correct credentials, random nonsense the browser does not accept anything in this box it will continue to popup. If I press cancel, I sometimes get a http 407 error, but on other occasions I click cancel the website proceeds to download and show normally.

This is repeatable with some clients running through my proxy server, but in other cases it does not happen at all.

In the cases where a client computer works normally, the only difference I can see is that the 3rd request for SSL resource comes back with a 200 response, see below:

CONNECT gmail.google.com:443 HTTP/1.0
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MALC)
Proxy-Connection: Keep-Alive
Content-Length: 0
Host: gmail.google.com
Pragma: no-cache
Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAIAAAA
A SSLv3-compatible ClientHello handshake was found.

I have tried resetting user accounts as well as computer accounts in Active Directory. User accounts and passwords that are being used are correct and the passwords have been reset so they are not out of sync. I have removed the clients and even the proxy server from the domain, and rejoined them. I have installed a complete separate proxy server and get exactly the same problem when I point clients to a different proxy server on a different IP address.


Solution 1:

ntlm requires tcp sessions with keep alive enabled since it's bound to the tcp connection, it's usually off through a proxy or with short timeouts,and many proxies also use http 1.0 = one request per connection. ... which essentially gives the same problem. change authorization to kerberos, digest or plain auth. neither should be a problem if site is in ssl if you run in accelerated mode.

best option is if you can change your proxy software though, look for keep-alive and http 1.1 connections. have no experience of microsoft proxy server I'm from another camp, but I'm pretty sure that what you are experiencing is what I describe.

regards,

peter