You are having problems accessing a website that does NTLM authentication

book

Article ID: 167662

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You are having problems accessing a website that does NTLM authentication
When going to an authenticated site, the browser does not give a pop-up when proxied to the ProxySG

Resolution

Troubleshooting problems accessing a website that does NTLM authentication

NTLM authentication is designed to take place between the client and server with no intermediary terminating device, such as a proxy. Being aware of this fact, Internet Explorer will not issue an authentication prompt if it receives a '401 Authenticate' response containing only NTLM Authentication headers if proxy settings are configured. Instead the end user will see a browser 401 message.

To work around this issue, Blue Coat proxies have a feature called 'force NTLM on IE'. What this feature does is issue a '407 Proxy Authentication' challenge instead of a '401 Authenticate' challenge to the browser so that it will prompt the end user for credentials. While the browser believes it is providing proxy authentication credentials, the Blue Coat proxy is aware that they are actually server authentication credentials.

Note that the behavior described above only occurs if the origin server supports only NTLM authentication. If the server supports both NTLM and BASIC authentication then the browser can still successfully authenticate while proxied using BASIC authentication.

To force NTLM through the CLI, use the following command:

SGOS#(config)http force-ntlm

To force NTLM through policy, use the CPL property http.force_ntlm_for_server_auth( ). For information about this CPL property, please refer to the CPL guide found in ProxySG Content Policy Language Reference (7.1.x)