cancel
Showing results for 
Search instead for 
Did you mean: 
malware-alerts
Level 10

Some user-agent do not respond to HTTP 407 (authentication required) from MWG

Jump to solution

We are in the process of migrating our environment from an old ISA 2006 proxy to MWG.

I've been running in strange authentication difficulties with some applications.

One specific one I'm currently having issues with is a Nexus Maven Repository Manager sitting on a Windows server (User-Agent: "Nexus/2.3.1-01 (OSS; Windows Server 2008 R2; 6.1; amd64; 1.7.0) apacheHttpClient4x/2.3.1-01"

When the application goes through our ISA proxy, it gets the typical response "HTTP407" twice and then sends it's credentials and is properly authenticated.

When pointing to MWG, I can see MWG sends 2x "HTTP407" responses but never actually receives the credentials from the application (therefore doesn't have access).

What I basically did as a workaround is to bypass authentication for the given user-agent but I'm kinda baffled as to why it's working just fine with ISA and not with MWG.

I've also had this exact same behavior with another application that doesn't have a 'user-agent' field in its request headers, works just fine with ISA authentication but simply won't send the credentials with MWG.

Has anybody else run into a similar issue?

0 Kudos
1 Solution

Accepted Solutions
eelsasser
Level 15

Re: Some user-agent do not respond to HTTP 407 (authentication required) from MWG

Jump to solution

Those types of application may authenticate, but may not like NTLM authentication.

Do you have BasicAuth turned on the settings too?

Capture.png

Also, if you packet capture the 407 responses, does it send anything in the header?

Proxy-Authorization: BASIC blahblahblah

0 Kudos
8 Replies
eelsasser
Level 15

Re: Some user-agent do not respond to HTTP 407 (authentication required) from MWG

Jump to solution

Those types of application may authenticate, but may not like NTLM authentication.

Do you have BasicAuth turned on the settings too?

Capture.png

Also, if you packet capture the 407 responses, does it send anything in the header?

Proxy-Authorization: BASIC blahblahblah

0 Kudos
malware-alerts
Level 10

Re: Some user-agent do not respond to HTTP 407 (authentication required) from MWG

Jump to solution

So just had a quick troubleshooting session with someone using the 'OutlookGoogleSync' plugin (used to synch your calendar events in outlook with your google calendar).

A TCP trace was taken when the issue was reproduced and it goes like this:

Client: CONNECT www.googleapis.com:443 HTTP/1.1

MWG: HTTP/1.1 407 authenticationrequired

          Proxy-Authenticate: NTLM

Client: Proxy-Authorization: NTLM xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (NTLMSSP_NEGOTIATE)

MWG: HTTP/1.1 407 authenticationrequired

          Proxy-Authenticate: NTLM xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (NTLMSSP_CHALLENGE)

... and then nothing back from the client. This was still with only 'Integrated Authentication" enabled (not Basic).

I'll enable basic and test again on Monday.

0 Kudos
eelsasser
Level 15

Re: Some user-agent do not respond to HTTP 407 (authentication required) from MWG

Jump to solution

But the Real question is, do you have a trace from the ISA server that originally worked?

And do you see the 407 coming from ISA saying:

Proxy-Authenticate: Basic

Proxy-Authenticate: NTLM

And a corresponding reply from the client saying:

Proxy-Authorization: BASIC .......

I suspect that the client is choosing to downgrade to BasicAuth at it's own discretion.

0 Kudos
malware-alerts
Level 10

Re: Some user-agent do not respond to HTTP 407 (authentication required) from MWG

Jump to solution

I've enabled Basic authentication on the MWG and rerean the tests with the same user: same result.

I see the proxy sending the HTTP 407 with both "Proxy-Authenticate: NTLM" and "Proxy-Authenticate: Basic", the client choses NTLM, gets the NTLM_CHALLENGE back from the proxy and never sends anything else after.

I'm asking the user to revert to the old proxy and re-run the same tests to see what happens.

Thanks.

0 Kudos
malware-alerts
Level 10

Re: Some user-agent do not respond to HTTP 407 (authentication required) from MWG

Jump to solution

Just got the trace back from the user using the old ISA proxy and turns out it's not even requesting authentication for googleapis.com. This might have been an issue in the past and the support group might have decided to simply bypass authentication for the site...

At this point I'm going to see if a case can be opened with Google to figure out why it's not answering the NTLMSSP_CHALLENGE response.

Keep you posted.

0 Kudos
eelsasser
Level 15

Re: Some user-agent do not respond to HTTP 407 (authentication required) from MWG

Jump to solution

Good to know.

It looks like ISA was also bypassing authentication.

So does that mean your original observation was not accutate?:

"When the application goes through our ISA proxy, it gets the typical response "HTTP407" twice and then sends it's credentials and is properly authenticated.",

I'm curious.

0 Kudos
malware-alerts
Level 10

Re: Some user-agent do not respond to HTTP 407 (authentication required) from MWG

Jump to solution

So does that mean your original observation was not accutate?:


"When the application goes through our ISA proxy, it gets the typical response "HTTP407" twice and then sends it's credentials and is properly authenticated.",


For "googleapis.com" it was innacurate, but when I first opened the discussion, it was about Nexus Maven Repository Manager for which authentication was working on the ISA server and does not on the MWG (have to confirm with app support group now that Basic Auth has been enabled on MWG). I also encountered the issue with a Juniper Networks appliance that uses MWG to fetch updates which was solved by enabling the Basic Auth on MWG.

So, technically, your answer about Basic versus NTLM is most likely correct for all the other issues I've had. I just happened to stumble on the one app that refuses to authenticate altogether...

Thanks.

0 Kudos
malware-alerts
Level 10

Re: Some user-agent do not respond to HTTP 407 (authentication required) from MWG

Jump to solution

Testing was completed today with the Nexus Maven Repository Manager and enabling Basic authentication within the NTLM auth configuration did the trick.

Thanks!