I am setting up a c# proxy, which authenticates all http negotiate requests with the usercredentials running the proxy. Sadly, using the titanium web proxy i am not able to authenticate via NTML / NTMLV2.
Regarding to the github repository, this feature should work out of the box (when setting EnableWinAuth = true).
After debugging the code and inspecting the communication via wireshark, i think the traffic looks alright. The proxy is using secur32.dll to obtain the type1 and type2 message tokens. Since i am able to authenticate against the website without a proxy (the browsers are using the secur32.dll aswell), i am sure that the specified ntml protocol is valid.
- proxy sends a type1 message to the web server hosting the protected site. (when inspecting the type1 message, the domain / workstation name is correct)
- web server sends the type2 message to the proxy
- proxy is able to generate a type3 message from the type2 message and sends it to the server (type3 message includes the correct username)
- web server returns 401 unauthorized
After enabling the iis feature to trace failed requests, i was able to find out, that the web server refuses the token with the ErrorCode="The token supplied to the function is invalid (0x80090308)"
I also tried to authenticate against a website on a local iis, on a remote iis and running the proxy on a different workstation.
Changing the local network security policies to different ntml protocls did not work either.
Do you have any idea how to investigate this case any further?
