4.6 Proxy Authentication using NTLM Example
The following example illustrates the sequence of messages exchanged to communicate through a NTLM enabled proxy. These examples use the Secure Tunnel proxy to enable the NTLM authentication.
Figure 31: Client NTLM authentication example
The following is an example of the messages exchanged between the client and the Secure Tunnel Proxy to create a connection between the client and the server.
The client creates a TCP connection to the Secure Tunnel proxy and requests a connection to the server using the following message:
-
----------------------------------Message START ---------------------------------- CONNECT server.domain.net:443 HTTP/1.0 User-Agent:Mozilla/4.0 (compatible; MSIE 5.5; Win32) proxy-Connection: Keep-Alive Pragma: no-cache ----------------------------------Message END ------------------------------------
The Secure Tunnel proxy responds with the following "Access Required" message and tears down the connection gracefully:
-
----------------------------------Message START ---------------------------------- HTTP/1.1 407 ProxyAuthentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web proxy service is denied. ) Via: 1.1 SPIRIT1B proxy-Authenticate: Negotiate proxy-Authenticate: Kerberos proxy-Authenticate: NTLM Connection: close proxy-Connection: close Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Content-Length: 701 ----------------------------------Message END -----------------------------------------------------
The client again connects to the Secure Tunnel proxy and sends the following message with authentication information:
-
----------------------------------Message START ---------------------------------- CONNECT server.domain.net:443 HTTP/1.0 User-Agent:Mozilla/4.0 (compatible; MSIE 5.5; Win32) proxy-Connection: Keep-Alive Pragma: no-cache proxy-Authorization: NTLM TlRMTVNTUAABAAAAt7II4gkACQAxAAAACQAJACgAAAAFASgKAAAAD0xBQlNNT0tFM1dPUktHUk9VUA== ----------------------------------Message END ------------------------------------
The proxy responds with the following message indicating the denied access and an authentication challenge for the client:
-
----------------------------------Message START ---------------------------------- HTTP/1.1 407 ProxyAuthentication Required ( Access is denied. ) Via: 1.1 SPIRIT1B proxy-Authenticate: NTLM TlRMTVNTUAACAAAAEAAQADgAAAA1goriluCDYHcYI/sAAAAAAAAAAFQAVABIAAAABQLODgAAAA9TAFAASQBSAEkAVAAxAEIAAgAQAFMAUABJAFIASQBUADEAQgABABAAUwBQAEkAUgBJAFQAMQBCAAQAEABzAHAAaQByAGkAdAAxAGIAAwAQAHMAcABpAHIAaQB0ADEAYgAAAAAA Connection: Keep-Alive proxy-Connection: Keep-Alive Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Content-Length: 0 ----------------------------------Message END ------------------------------------
The client again requests a connection to the server and includes the response to the authentication challenge:
-
----------------------------------Message START ---------------------------------- CONNECT server.domain.net:443 HTTP/1.0 User-Agent:Mozilla/4.0 (compatible; MSIE 5.5; Win32) proxy-Connection: Keep-Alive Pragma: no-cache proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHIAAAAYABgAigAAABIAEgBIAAAABgAGAFoAAAASABIAYAAAABAAEACiAAAANYKI4gUBKAoAAAAPTABBAEIAUwBNAE8ASwBFADMAXwBxAGEATABBAEIAUwBNAE8ASwBFADMA0NKq8HYYhj8AAAAAAAAAAAAAAAAAAAAAOIiih3mR+AkyM4r99sy1mdFonCu2ILODro1WTTrJ4b4JcXEzUBA2Ig== ----------------------------------Message END ------------------------------------
Upon successful proxy authentication, the Secure Tunnel proxy responds with the following message indicating successful authentication and establishment of a connection to the server:
-
----------------------------------Message START ---------------------------------- HTTP/1.1 200 Connection established Via: 1.1 SPIRIT1B ----------------------------------Message END ------------------------------------
The application data can be exchanged after the NTLM authentication is finished and the Secure Tunnel proxy successfully creates the connection to the server.