All client browsers repeatedly asking for NTLM authentication when running through local proxy server
- by Marko
All client browsers repeatedly asking for NTLM authentication when running through local proxy server.
When pointing browsers through the local proxy to the internet, some but not all clients are being repeatedley prompted to authenticate to the proxy server.
I have inspected the headers using firefox live headers as well as fiddler, and in all cases the authentication prompts happen when requesting SSL resources.
an example of this would be as follows:
GET http://gmail.google.com/mail/ HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-
flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-
xpsdocument, application/xaml+xml, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR
1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: gmail.google.com
GET http://gmail.google.com/mail/ HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-
flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-
xpsdocument, application/xaml+xml, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR
1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: gmail.google.com
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAB7IIogkACQAvAAAABwAHACgAAAAFASgKAAAAD1dJTlhQMUdGTEFHU0hJUDc=
GET http://gmail.google.com/mail/ HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-
flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-
xpsdocument, application/xaml+xml, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR
1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Proxy-Authorization: NTLM
TlRMTVNTUAADA (more stuff goes here I cut it short)
Host: gmail.google.com
At this point the username and password prompt has appeared in the browser, it does not matter what is typed into this box, correct credentials, random nonsense the browser does not accept anything in this box it will continue to popup.
If I press cancel, I sometimes get a http 407 error, but on other occasions I click cancel the website proceeds to download and show normally.
This is repeatable with some clients running through my proxy server, but in other cases it does not happen at all.
In the cases where a client computer works normally, the only difference I can see is that the 3rd request for SSL resource comes back with a 200 response, see below:
CONNECT gmail.google.com:443 HTTP/1.0
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MALC)
Proxy-Connection: Keep-Alive
Content-Length: 0
Host: gmail.google.com
Pragma: no-cache
Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAIAAAA
A SSLv3-compatible ClientHello handshake was found.
I have tried resetting user accounts as well as computer accounts in Active Directory.
User accounts and passwords that are being used are correct and the passwords have been reset so they are not out of sync.
I have removed the clients and even the proxy server from the domain, and rejoined them.
I have installed a complete separate proxy server and get exactly the same problem when I point clients to a different proxy server on a different IP address.
