Re: NTLM and man-in-the-middle proxies not working

["Amit Klein (AKsecurity)" <aksecurity () hotpop com>]

On 20 Sep 2005 at 13:45, Michael Eddington wrote:

> That isn't 100% true.  Because NTLM authenticates a TCP connection,
> not a web request, a proxy must specifically support NTLM
> authentication proxying or bad-things might happen.  To show IE that
> this is supported the proxy must set the following header if
> WWW-Authenticate header exists:
>
> Proxy-Support: Session-Based-Authentication
>
> this isn't well documented which is why most MITM proxies didn't
> support NTLM for a long-ass time.

You're right. This header does take care of things - if IE sees this header, it does 
proceed with NTLM authentication. But the few proxy servers I played with simply don't use 
this header (as you mentioned above). Anyway - I should have mentioned this point in my 
earlier submissions, thanks for the correction.

Of course, this only pertains to forward proxies. Reverse/transparent proxies will not be 
visible to IE, and so it will happily engage in NTLM authentication, with interesting 
consequences.

As for "well documented" - the whole NTLM authentication scheme has no official 
documentation (AFAIK), so it's no surpirse this header isn't widely known.