NTLM through proxy server

active-directoryhttpntlmPROXYsquid

  • We use squid as a HTTP proxy (if needed I can modify it's configuration).
  • We want to access a website that uses ntlm for authentication
  • When we go on the website through squid we see a blank page
  • When we go the website through a DSL box, we see an authentication popup (desired result)

I don't know much about NTLM … deranged imagination … crappy protolol … grmbl grmbl 😀 😀 😀

This thread says it can't be done : http://www.squid-cache.org/mail-archive/squid-users/200708/0578.html

Are there any guru who can provide a solution or a workaround?

Here's telnet output on port 80 for the desired website :

Trying 111.222.333.444...
Connected to www.extranet-example.com (111.222.333.444).
Escape character is '^]'.
GET /index.htm HTTP/1.1
host: www.extranet-example.com

HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/7.5
SPRequestGuid: 2764478a-b14a-4541-9110-27ebf4281e84
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 14.0.0.4762
Date: Mon, 25 Nov 2013 14:25:26 GMT
Content-Length:
0

Bonus : We use 2 chained proxy (squid-2.6 rhel5) servers

Edit : Using NTLM to do squid authentication is not what we are trying to achieve.

Edit 2 : The website we try to reach is outside our company, outside of our network. In fact it is a public website with a public IP. If I exclude this website from proxy configuration, it won't work because our workstation have no route to the internet nor direct connection.

Best Answer

NTLM is connection orientated and since there's no direct connection between you and the webserver when you use the proxy, so NTLM fails. (There's a connection between you and the proxy and a second connection between the proxy and the website.)

If you can't upgrade to for example Kerberos auth your best bet is to add the webserver to the proxy exclude list in your client configuration (PAC file?). Typically internal servers on the corporate intranet (which is where you'd expect NTLM auth) are excluded from the proxy for this reason and clients connect directly.

EDIT

Apparently there's an option in Squid for NTLM passthough authentication: Connection Pinning. Available from Squid version 2.6 and up and 3.1 and up. 

http_port ... connection-auth[=on|off]
https_port ... connection-auth[=on|off]
Related Topic