I am trying to develop a network tunnel that can traverse NTLM authenticating proxies. As part of that I am investigating how NTLM auth works. My test setup has WinGate proxy on one Windows box configured to require NTLM auth. My Windows client is set to use the WinGate machine as proxy. After WinGate is restarted, the first webpage I open requires authentication – I see the NTLM exchange via Fiddler. Subsequent requests from the same PC do not appear to require authentication. I mean any request from the PC – not just from the same browser – for example, opening Firefox when the initial auth was done in Chrome. I've captured all the traffic using Fiddler (and previously also with Wireshark) – I see no evidence of any token or identification being sent to the proxy. So how does the proxy know to allow these subsequent requests through? Is this expected behaviour for NTLM auth?
Windows – Why is only the first request to an NTLM authenticating proxy challenged and how do subsequent requests through the proxy get authenticated
authenticationntlmPROXYwindows
Related Topic
- How to configure apache to basic authentication or allow when ntlm while proxying
- Ssl – All client browsers repeatedly asking for NTLM authentication when running through local proxy server
- Ssl – What determines the combination of ciphers available on an SSL server
- Web-server – Is it possible for a reverse proxy to make its request to another proxy and rewrite the urls in the response content
- Security – Apache2 authentication NTLM without prompted semi Basic auth type
- Apache HTTP with Kerberos Not Working on Chromium Outside Domain
Best Answer
I found the answer - WinGate proxy has an non-standard behaviour by default - it caches credentials against the IP address of the client. So once NTLM has authenticated once, all subsequent requests from the PC are authenticated. This can be over-ridden by creating a Credential Rule in WinGate and choosing "Don't allow credentials established by a session to be used by other sessions"