Only first request over NTLM is authenticated

Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems

Moderator: Qbik Staff

Only first request over NTLM is authenticated

Postby fineman » Oct 30 16 2:06 am

I am trying to develop a network tunnel that can traverse NTLM authenticating proxies. As part of that I am investigating how NTLM auth works. My test setup has WinGate proxy on one Windows box configured to require NTLM auth. My Windows client is set to use the WinGate machine as proxy. After WinGate is restarted, the first webpage I open requires authentication - I see the NTLM exchange via Fiddler. Subsequent requests from the same PC do not appear to require authentication. I mean any request from the PC - not just from the same browser - for example, opening Firefox when the initial auth was done in Chrome. I've captured all the traffic using Fiddler (and previously also with Wireshark) - I see no evidence of any token or identification being sent to the proxy. So how does the proxy know to allow these subsequent requests through? Is this expected behaviour for NTLM auth? Or is it something about the way WinGate works?
fineman
 
Posts: 7
Joined: Oct 30 16 2:03 am

Re: Only first request over NTLM is authenticated

Postby adrien » Oct 31 16 12:23 pm

Hi

WinGate caches the credentials that are established by an IP address, and subsequent requests (by default) are deemed to be using the same credentials.

NTLM auth handshaking usually requires each request to be issued at least 3 times, so this cuts down a lot of load, latency and logging.

It's possible to turn it off with credential rules. Create a rule (match on whatever, e.g. to match all IPs would be 0.0.0.0 mask 0.0.0.0) and select the option to not inherit credentials. Then you'll be challenged for auth each connection.

Regards

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Only first request over NTLM is authenticated

Postby fineman » Oct 31 16 8:46 pm

Ah! Finally the mystery is solved :) Thanks. That helps a lot.
fineman
 
Posts: 7
Joined: Oct 30 16 2:03 am

Re: Only first request over NTLM is authenticated

Postby fineman » Oct 31 16 9:10 pm

Hmm - when I create a credential rule, the option to "not inherit credentials" is not there. I do have "Don't allow credentials established by a session to be used by other sessions" - is that the one? Unfortunately I'm using the free version of WinGate 8.5.9 so that option says it is not available to me.
fineman
 
Posts: 7
Joined: Oct 30 16 2:03 am

Re: Only first request over NTLM is authenticated

Postby adrien » Nov 01 16 11:34 am

yes, that's the one - sorry, I paraphrased.
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Only first request over NTLM is authenticated

Postby adrien » Nov 01 16 11:35 am

p.s. for testing etc you could activate a trial, which would give you access to the feature.
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Only first request over NTLM is authenticated

Postby fineman » Nov 01 16 11:29 pm

Having taken out a trial license I have created a credential rule as you described and restarted WinGate. It seems that isn't working - only the first request from the client PC is getting the NTLM auth challenge, after that (from the logs) everything appears to go through unchallenged. Any ideas what I might be doing wrong?
fineman
 
Posts: 7
Joined: Oct 30 16 2:03 am

Re: Only first request over NTLM is authenticated

Postby fineman » Nov 02 16 12:49 am

Just to be clear, what I'm looking to configure is what I've read as the correct behaviour of an NTLM authenticating proxy - that each new connection should be authenticated, but that connections kept-alive via 'keep-alive' should not need to re-authenticate when subsequent requests are sent over the same connection. As it stands now, once the first connection authenticates I can do anything I like on the client PC - all internet clients (browsers, other processes like Evernote sync etc) all pass through the proxy unchallenged which seems to me wrong.
fineman
 
Posts: 7
Joined: Oct 30 16 2:03 am

Re: Only first request over NTLM is authenticated

Postby adrien » Nov 02 16 12:59 am

Hi

How did you specify the matching criteria in the credential rule? It sounds like it's not matching. If it does match, the display of the activity from a matching IP looks different (shows machine with different icon, then sub-items for users, then sessions)
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Only first request over NTLM is authenticated

Postby fineman » Nov 02 16 2:54 am

I set up a credential rule "Apply this rule if Ip Address matched 0.0.0.0 mask 255.255.255.255" - so to test I just tried setting the IP Address to exactly match the client IP - then it worked. Strangely then if I set it back to 0.0.0.0 it continued to work correctly. Not sure exactly what is happening there. By the way where do I see the activity that you mentioned - machine with different icon, then sub-items for users, then sessions ?
fineman
 
Posts: 7
Joined: Oct 30 16 2:03 am

Re: Only first request over NTLM is authenticated

Postby adrien » Nov 02 16 9:11 am

mask also needs to be 0.0.0.0 as per my previous reply

masking with 255.255.255.255 does nothing, it selects all the input bits into the output, and therefore only an IP of 0.0.0.0 (impossible) once masked with 255.255.255.255 would match 0.0.0.0

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Only first request over NTLM is authenticated

Postby fineman » Nov 03 16 1:24 am

Ah! Apologies, missed that - makes sense. Thanks for your patience.
fineman
 
Posts: 7
Joined: Oct 30 16 2:03 am


Return to WinGate

Who is online

Users browsing this forum: Google [Bot] and 40 guests

cron