4.2 Proxy Examples

This scenario shows the messages that are exchanged when a web client requests an access-protected document from a proxy using a GET method request at the URL: http://www.nowhere.org/dir/index.html.

 C: GET dir/index.html

The first time the client requests the document, no Proxy-Authorization header is sent; so the proxy responds with the following.

  
 S: HTTP/1.1 407 Proxy Authentication Required
 S: Proxy-Authenticate: NTLM
  

The client obtains the local user credentials using the [MS-NLMP] security package and then generates a new GET request to the proxy. The request contains a Proxy-Authorization header with an NTLM NEGOTIATE_MESSAGE (as specified in [MS-NLMP] section 2.2.1.1) in ntlm-data.

  
 C: GET dir/index.html
 C: Proxy-Authorization: NTLM tESsBmE/yNY3lb6a0L6vVQEZNqwQn0s8Unew
  

The proxy decodes the ntlm-data that is contained in the auth-data2 base64-encoded data and passes this to its implementation of [MS-NLMP]. If the proxy accepts this authentication data from the client, it responds with an HTTP 407 code (for more information, see [RFC2616] section 10.2) and a Proxy-Authenticate header with an NTLM CHALLENGE_MESSAGE (as specified in [MS-NLMP] section 2.2.1.2) in ntlm-data.

  
 S: HTTP/1.1 407 Proxy Authentication Required
 S: Proxy-Authenticate: NTLM yNY3lb6a0L6vVQEZNqwQn0s8UNew33KdKZvG+Onv
  

The client decodes the ntlm-data that is contained in the auth-data base64-encoded data and passes this to its implementation of [MS-NLMP]. If this authentication data is valid, the client responds by reissuing the GET request with a Proxy-Authorization header that contains an NTLM AUTHENTICATE_MESSAGE (as specified in [MS-NLMP] section 2.2.1.3) in ntlm-data.

  
 C: GET dir/index.html
 C: Proxy-Authorization: NTLM kGaXHz6/owHcWRlvGFk8ReUZKHo=QEZNqwQn0s8U
  

The proxy decodes the ntlm-data that is contained in the auth-data2 base64-encoded data and passes this to its implementation of [MS-NLMP]. If the proxy accepts this authentication data from the client, it responds with an HTTP 2xx code (for more information, see [RFC2616] section 10.2) indicating success. The requested content is also included in the proxy response.

Note The base64 values used previously are for illustrative purposes only and do not represent valid base64-encoded NTLM messages.

Show: