I'm talking about the first NTLM leg here, once we've already established that we need to authenticate, and we've decided that the authentication method will be NTLM. As far as I can understand, unless the proxy server can break the NTLM sequence and simply forward the request when we send the initial NTLM salt, we will always expect a 4xx response from the first request sent in the NTLM sequence. On Apr 2, 2010, at 3:20 PM, Jamie Lokier wrote: > Mark Pauley wrote: >> Practically however: I've seen that Microsoft proxy servers and web >> servers that use NTLM authentication always ignore payload sent with >> the initiation of the NTLM authentication. In essence, the first >> request isn't really HTTP because the client really expects the >> server to respond only with a 4xx message. > > A proxy is free to forward your request to IIS between 10am and 2pm, > and to forward your request to Apache on a Linux box with no > authentication after 2pm. So it is, alas, broken in this scenario. > But that's the nature of the NTLM beast. > > -- JamieReceived on Friday, 2 April 2010 22:23:47 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:17 GMT