On Mon, 19 Apr 2004, Darren Spruell wrote:

> We run squid for some clients that need to access partners' websites
> that are set up to authenticate users using NTLM. (At least, we see
> their servers passing the following headers
>
> Server: Microsoft-IIS/5.0
> WWW-Authenticate: Negotiate
> WWW-Authenticate: NTLM


This can not be proxied. Client must talk directly to the origin server to
use these authentication mechanisms. Or to be precise, there must be a
direct relation between client TCP connection and server TCP connection.

If you can talk to the site owner advice them to use https as a
"workaround" to this. By using https such direct connection is guaranteed,
even in proxied environments.

> I understand that transparent passthrough authentication will not work
> though an HTTP proxy, but what we end up seeing is that users off the
> proxy receive a login prompt from the web server and can then
> authenticate manually, but users on the proxy simply get an "access
> denied" message from the web server and can't view the page


Sounds like you are using an old Squid version in your transparent proxy..
it doesn't really work, just may seem so in the first attempt.

> Is this also related to the NTLM authentication not being supported, or
> is there a way we can make it so that users are still given the login
> prompt?


No. MSIE disables the use of NTLM and Negotiate when configured to use a
proxy, simply because of the fact that these authentication methods can
not be proxied.

Regards
Henrik