Forum Discussion

  • As I know when using http 401 authentication, negotiate can only be used for NTLM and Kerberos, if http 407 proxy authentication is used, negotiate can be used Basic and NTLM

     

  • Hi,

     

    I am a bit confused. I did test with Access Policy assigned to SWG-Explicit type profile.

     

    In policy I have HTTP 407 Response object

     

    From test:

     

    • Profile with NTLM Auth Configuration: None
    • HTTP 407 Response: basic

    Result: All users (connected to domain and not connected) will get authentication popup when first connecting to proxy

     

    • Profile with NTLM Auth Configuration: my ntlm profile
    • User Identification Method: tested both IP and Credentials - no difference
    • HTTP 407 Response: basic+negotiate
      • basic branch pointing to AD Auth
      • negotiate to NTLM Auth Result

    Result: Both user connected to domain and not connected cen't access web sites. Auth popup is displayed again and again. Looking at user not connected to domain I can see attempt to use NTLM, in APM logs I can see error that user@computername do not exist - what is of course correct.

     

    So either my policy is wrong, or it's not possible to use HTTP 407 Response: basic+negotiate for NTLM, only for Kerberos - no NTLM Auth Configuration set in profile.

     

    Piotr

     

  • Seems that there is no way to use NTML and basic at the same time. When NTLM Auth Configuration is enabled in Access Profile then APM is sending:

     

    HTTP/1.1 407 Proxy Authentication Required: Proxy-Authenticate: NTLM

     

    immediately even before starting Access Policy. What is strange some requests are reaching HTTP 407 Response object and there is successful authentication but for next request again NTML is requested and failing because connecting client is not connected to domain.

     

    So it seems NTML and basic clients can not be handled in any way with the same VS and Access Profile :-(

     

    Piotr