Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The following example illustrates the sequence of messages exchanged to communicate through a NTLM enabled proxy. These examples use the Secure Tunnel proxy to enable the NTLM authentication.
Figure 31: Client NTLM authentication example
The following is an example of the messages exchanged between the client and the Secure Tunnel Proxy to create a connection between the client and the server.
The client creates a TCP connection to the Secure Tunnel proxy and requests a connection to the server using the following message:
-
----------------------------------Message START ---------------------------------- CONNECT server.domain.net:443 HTTP/1.0 User-Agent:Mozilla/4.0 (compatible; MSIE 5.5; Win32) proxy-Connection: Keep-Alive Pragma: no-cache ----------------------------------Message END ------------------------------------
The Secure Tunnel proxy responds with the following "Access Required" message and tears down the connection gracefully:
-
----------------------------------Message START ---------------------------------- HTTP/1.1 407 ProxyAuthentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web proxy service is denied. ) Via: 1.1 SPIRIT1B proxy-Authenticate: Negotiate proxy-Authenticate: Kerberos proxy-Authenticate: NTLM Connection: close proxy-Connection: close Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Content-Length: 701 ----------------------------------Message END -----------------------------------------------------
The client again connects to the Secure Tunnel proxy and sends the following message with authentication information:
-
----------------------------------Message START ---------------------------------- CONNECT server.domain.net:443 HTTP/1.0 User-Agent:Mozilla/4.0 (compatible; MSIE 5.5; Win32) proxy-Connection: Keep-Alive Pragma: no-cache proxy-Authorization: NTLM TlRMTVNTUAABAAAAt7II4gkACQAxAAAACQAJACgAAAAFASgKAAAAD0xBQlNNT0tFM1dPUktHUk9VUA== ----------------------------------Message END ------------------------------------
The proxy responds with the following message indicating the denied access and an authentication challenge for the client:
-
----------------------------------Message START ---------------------------------- HTTP/1.1 407 ProxyAuthentication Required ( Access is denied. ) Via: 1.1 SPIRIT1B proxy-Authenticate: NTLM TlRMTVNTUAACAAAAEAAQADgAAAA1goriluCDYHcYI/sAAAAAAAAAAFQAVABIAAAABQLODgAAAA9TAFAASQBSAEkAVAAxAEIAAgAQAFMAUABJAFIASQBUADEAQgABABAAUwBQAEkAUgBJAFQAMQBCAAQAEABzAHAAaQByAGkAdAAxAGIAAwAQAHMAcABpAHIAaQB0ADEAYgAAAAAA Connection: Keep-Alive proxy-Connection: Keep-Alive Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Content-Length: 0 ----------------------------------Message END ------------------------------------
The client again requests a connection to the server and includes the response to the authentication challenge:
-
----------------------------------Message START ---------------------------------- CONNECT server.domain.net:443 HTTP/1.0 User-Agent:Mozilla/4.0 (compatible; MSIE 5.5; Win32) proxy-Connection: Keep-Alive Pragma: no-cache proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHIAAAAYABgAigAAABIAEgBIAAAABgAGAFoAAAASABIAYAAAABAAEACiAAAANYKI4gUBKAoAAAAPTABBAEIAUwBNAE8ASwBFADMAXwBxAGEATABBAEIAUwBNAE8ASwBFADMA0NKq8HYYhj8AAAAAAAAAAAAAAAAAAAAAOIiih3mR+AkyM4r99sy1mdFonCu2ILODro1WTTrJ4b4JcXEzUBA2Ig== ----------------------------------Message END ------------------------------------
Upon successful proxy authentication, the Secure Tunnel proxy responds with the following message indicating successful authentication and establishment of a connection to the server:
-
----------------------------------Message START ---------------------------------- HTTP/1.1 200 Connection established Via: 1.1 SPIRIT1B ----------------------------------Message END ------------------------------------
The application data can be exchanged after the NTLM authentication is finished and the Secure Tunnel proxy successfully creates the connection to the server.