NTLM through proxy server

active-directory proxy http squid ntlm

7,941

Solution 1

NTLM is connection orientated and since there's no direct connection between you and the webserver when you use the proxy, so NTLM fails. (There's a connection between you and the proxy and a second connection between the proxy and the website.)

If you can't upgrade to for example Kerberos auth your best bet is to add the webserver to the proxy exclude list in your client configuration (PAC file?). Typically internal servers on the corporate intranet (which is where you'd expect NTLM auth) are excluded from the proxy for this reason and clients connect directly.

EDIT

Apparently there's an option in Squid for NTLM passthough authentication: Connection Pinning. Available from Squid version 2.6 and up and 3.1 and up.

http_port ... connection-auth[=on|off]
https_port ... connection-auth[=on|off]

Solution 2

Based on the information provided, I don't think you can create a workaround to use NTLM over Squid over the Internet without going "outside the box" somehow.

A possible suggestion would be using HAproxy (which does TCP reverse proxying) to create a local URL in your network that pipes requests to the site on the other end. If you have to go through 2 different hops (i.e the 2 machines running Squid) then you would have to set up two instances.

Configuration would be something on the lines of:

listen localsite 0.0.0.0:80
    mode tcp
    balance roundrobin
    option  tcplog

    server upstream1 1.2.3.4:80

While you do have to run a separate application, HAproxy is super painless (install a single package, 10 line config file, pretty much 0 configuration, 0 maintenance).

The other option would be to modify the system's configuration to enable some sort of SSO, and then use a local NTLM authenticator to initiate the sessions to the upstream system. This might imply development and changes to the system.

I don't think I have ever seen NTLM used over the Internet though, it's generally used in LANs. Maybe if you expand on the situation we can suggest an alternative strategy.

7,941

Author by

GomoX

CTO at InvGate, all-around geek.

Updated on September 18, 2022

Comments

GomoX over 1 year
- We use squid as a HTTP proxy (if needed I can modify it's configuration).
- We want to access a website that uses ntlm for authentication
- When we go on the website through squid we see a blank page
- When we go the website through a DSL box, we see an authentication popup (desired result)
I don't know much about NTLM ... deranged imagination ... crappy protolol ... grmbl grmbl :D :D :D

This thread says it can't be done : http://www.squid-cache.org/mail-archive/squid-users/200708/0578.html

Are there any guru who can provide a solution or a workaround?

Here's telnet output on port 80 for the desired website :
```
Trying 111.222.333.444...
Connected to www.extranet-example.com (111.222.333.444).
Escape character is '^]'.
GET /index.htm HTTP/1.1
host: www.extranet-example.com

HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/7.5
SPRequestGuid: 2764478a-b14a-4541-9110-27ebf4281e84
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 14.0.0.4762
Date: Mon, 25 Nov 2013 14:25:26 GMT
Content-Length:
0 
```
Bonus : We use 2 chained proxy (squid-2.6 rhel5) servers

Edit : Using NTLM to do squid authentication is not what we are trying to achieve.

Edit 2 : The website we try to reach is outside our company, outside of our network. In fact it is a public website with a public IP. If I exclude this website from proxy configuration, it won't work because our workstation have no route to the internet nor direct connection.
- user9517 over 10 years
  
  cyberciti.biz/faq/squid-ntlm-authentication-configuration-ho‌wto
- Admin over 10 years
  
  It seems this website covers how to use ntlm for squid authentication and this is not my question at all.
- Admin over 10 years
  
  I contacted the website administrator and they are digging the problem on their side too.
GomoX over 10 years

This, you need a TCP proxy to get NTLM over a proxy.
Admin over 10 years

I can't upgrade to kerberos since the website we have to use is not our website, nor it is part of our company.
Admin over 10 years

Gave more details about the problem inside the question
mfinni over 10 years

NTLM is used all the time for Exchange (Outlook Anywhere - RPC over HTTPS).
GomoX over 10 years

I had no idea :)
HBruijn over 10 years

Added the info on NTLM passthough authentication support in Squid 2.6/3.1 and up to my earlier answer.
GomoX over 10 years

Looks like exactly what the OP needed.
Admin over 10 years

+1 Has anyone ever used this feature in production? Does is work with NTLMv2? Chained proxies?
mfinni over 10 years

It doesn't seem like NTLM vs NTLMv2 would make a difference.
Admin over 10 years

+1 for the idea of using an alternate proxy
GomoX over 10 years

It should work over chained proxies as it's just doing a TCP socket passthrough. It will create a ton of connections though as the nature of NTLM auth needs an open socket for each client (hence normal proxying doesn't work).