0 Replies Latest reply on Oct 24, 2017 10:06 AM by holger.haas

    Skype4Business authentication problems

    holger.haas

      Hello,

       

      did anyone succeed in running Skype4Business over a McAfee web gateway?

      In our environment (no own Skype infrastructure, explicit proxy, Kerberos authentication with NTLM fallback on MWG), as soon as the Skype plugin is needed (application and desktop sharing, audio, video,...), it fails because of the well known "Negiotiate with NTLM token" problem (see Kerberos and NTLM authentication fallback ):

       

      • Plugin tries to connect
      • MWG sends 407 with "Proxy-Authenticate" headers for "Negotiate" and "NTLM"
      • Plugin send "Proxy-Authorization: Negotiate T1RM..." (Negotiate, but with NTLM token. Seems to be valid in the MS World)
      • MWG does fallback (Sends another 407, this time only NTLM is offered)
      • ... no more reply from plugin

       

      At this point, the user gets an authentication prompt, but he can type in whatever he/she likes, it will not work...

      The problem could be simply solved if the plugin would send an appropriate "User Agent" header, but without that we have to maintain an exception list of all Skype servers of our partners, which we do not know before our users connect there for the first time.

       

      Does/Did anyone have the same issues, and better even could anyone solve these?

       

      Or is it possible that we additionally have an NTLM problem/misconfiguration here that disrupts the fallback? (On the other hand, this setup is running for about three years now without similar authentication problems apart from Basic authentication seems not to work at the beginning).

       

      Thanks for input,

      Holger