Rare intermittent authentication pop-ups due to HTTP persistent connections with IWA / NTLM

book

Article ID: 166835

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

It is possible that you receive some rare intermittent authentication pop-ups when IWA (Integrated Windows Authentication) / NTLM (NT LAN Manager) is used.

This usually happens when both the following statements are true :
- the upstream proxy/server decides to close the HTTP connection with the downstream proxy
- the downstream proxy decides to maintain the HTTP connection with the web browser during authentication

Note: As the problem is very rare and intermittent, it may be very difficult to obtain a packet capture that shows the problem.

Resolution

The following policy effectively disables the HTTP Client Persistent Connection and closes down the HTTP connection with the web browser when the upstream device such as another proxy or server closes the HTTP connection. It can be installed under Management Console > Configuration tab > Policy > Policy Files > Install Local File from > Text Editor

define condition close_connection
     response.header.Connection="close"
     response.header.Proxy-Connection="close"
end

<Proxy>
    condition=close_connection http.client.persistence(no)