I am trying to develop a network tunnel that can traverse NTLM authenticating proxies. As part of that I am investigating how NTLM auth works. My test setup has WinGate proxy on one Windows box configured to require NTLM auth. My Windows client is set to use the WinGate machine as proxy. After WinGate is restarted, the first webpage I open requires authentication - I see the NTLM exchange via Fiddler. Subsequent requests from the same PC do not appear to require authentication. I mean any request from the PC - not just from the same browser - for example, opening Firefox when the initial auth was done in Chrome. I've captured all the traffic using Fiddler (and previously also with Wireshark) - I see no evidence of any token or identification being sent to the proxy. So how does the proxy know to allow these subsequent requests through? Is this expected behaviour for NTLM auth?
-
see: http://stackoverflow.com/questions/39892013/ntlm-authentication-over-http/39894817#39894817 – Peter Hahndorf Oct 27 '16 at 17:09
-
Thanks for the reply - that makes sense for requests from the same browser for resources associated to the same page or initial request. What confuses me is that even if I close the browser and restart it, or issue a request from a totally different process (another browser, a test program I wrote that fetches resources over HTTP etc) the authentication is not required either if I haven't restarted the proxy in the meantime. These can't be reusing the same connection can they? Unless Windows has some magic http connection caching? – fineman Oct 28 '16 at 07:34
2 Answers
I found the answer - WinGate proxy has an non-standard behaviour by default - it caches credentials against the IP address of the client. So once NTLM has authenticated once, all subsequent requests from the PC are authenticated. This can be over-ridden by creating a Credential Rule in WinGate and choosing "Don't allow credentials established by a session to be used by other sessions"
- 21
- 4
Just for more information on this. There's quite a lot of work that has to be done relating to any NTLM handshake / auth. For starters, the request is typically sent 3 times in order to complete the handshake (this is problematic with POST with message body, and IE has a hideous hack to try and alleviate this, which actually just causes problems).
So the proxy, if authenticating every connection, is handling 3 times the requests, and also has to pass that auth traffic via SSPI to the domain controller, so the load on the domain controller is also a lot higher. Then WinGate has to retrieve the object from the AD, so LDAP load on the AD DS is higher as well.
This load is reduced by the caching of the credentials. This is based on an assumption of course, that there's only 1 user on that IP. If this assumption is invalid, WinGate has rules to override this behaviour.
- 267
- 1
- 6