That isn't 100% true. Because NTLM authenticates a TCP connection,
not a web request, a proxy must specifically support NTLM
authentication proxying or bad-things might happen. To show IE that
this is supported the proxy must set the following header if
WWW-Authenticate header exists:
Proxy-Support: Session-Based-Authentication
this isn't well documented which is why most MITM proxies didn't
support NTLM for a long-ass time.
mike
On 9/19/05, Amit Klein (AKsecurity) <aksecurity@hotpop.com> wrote:
On 19 Sep 2005 at 10:52, Eoin Keary wrote:
I find Burp works well for MITM stuff
With IE and NTLM? What version (maybe an old one)?
The phenomenon I was talking about was actually observed 4 years ago.
From a Squid-Dev posting by Chemolli Francesco (USI), Mon, 20 Aug 2001
(http://www.squid-cache.org/mail-archive/squid-dev/200108/0152.html):
"It is worth noticing that recent version of MS Internet Explorer
WILL NOT EVEN ATTEMPT to perform NTLM authentication if a proxy
is in use to reach the destination host."
And I also verified this on IE 6.0 SP2 (WinXP SP2).
-Amit
On 16/09/05, Amit Klein (AKsecurity) <aksecurity@hotpop.com> wrote:
On 15 Sep 2005 at 15:42, raymond_b_jimenez@yahoo.com wrote:
Most interesting is the fact that IE passes IWA credentials over a
proxy. I had put in a demo environment, and I did sucessfully manage to
use IE/IWA through a proxy (in this case Odysseus). Just in case, I
tested it again and it does pass IWA through proxy.
Weird. I double checked (this time I used Odysseus, 2.0B10), but no good,
my IE
(6.0.3790.0) doesn't even ask me for the NTLM credentials when it's
configured with a
forward proxy. What's your IE version? Can other people check this please?
