When trying to use NTLM proxy authentication from a Windows 7 client to a squid proxy running on my Windows 2k8 Server domain controller (the client belongs to the domain), the type 3 message produced by the client is not accepted by the SSPI call in the proxy authentication. LMcompatibility is set to 5 on both server and client - packet structure indicates that NTLMv2 is in use.I believe the problem is caused by extra AVPairs being injected in the TargetInfo section by the windows 7 client:- The type 2 message contains Target Info with AVPairs for NbDomainName, NbComputerName, DnsDomainName, DnsComputerName, DnsTreeName and Timestamp. - The type 3 message contains the above, PLUS additional AVPairs for Flags, Restrictions, ChannelBindings and TargetName.Passing the type 3 message token to AcceptSecurityContext returns 0x80090308 (SEC_E_INVALID_TOKEN). If I programmatically remove the extra fields by manipulating the message and recalculating the HMAC field (using the known password for the authenticating user's account), then the authentication succeeds.Other client platforms do not add these pairs, and are able to authenticate successfully. I have tested XP, Windows 2k3 Server and Windows 2k8 Server (all with LMCompatibility set to 5). For the sake of completeness, I should mention that in the Win2k8 client test, everything (client, DC, server) was on the same server.Is this a real defect? Or am I doing something wrong?Thanks,Mark.