Web proxy NTLM authentication problems
I'm a consultant working onsite at my customer. My computer (running Win7 Enterprise, SP1, 32-bit) is part of my company domain, and I use an account from the customer's domain to access their web proxy server. The proxy server is using NTLM authentication.
IE9 on Win7 works fine, the customer domain credentials are saved so I only have to enter the password if it has changed. But accessing my company's Exchange server using Outlook 2003 RPC over HTTPS trough the proxy does not work, I just get a "403 Forbidden,
Access Denied" response from the proxy. Accessing it from home works fine.
My old computer with WinXP SP3 and Outlook 2003 have no problems accessing the Exchange server through the proxy. The Outlook settings are identical on the two computers, using Basic authentication over SSL. I have changed "Network security: LAN Manager authentication
level" from the Win7 default "Send NTLMv2 response only" to the WinXP default "Send LM & NTLM responses" as suggested in another thread, but still get access denied.
Running rpcping (from http://support.microsoft.com/kb/831051) and sniffing the traffic with WireShark, I have found out some differences between the WinXP and Win7 installations. I use rpcping with the following parameters:
> rpcping -t ncacn_http -o RpcProxy=mail.mycompany.com -P "myuser,mycompany,*" -H 1 -u 10 -a connect -F 3 -v 3 -E -R customer-proxy:8080
RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002
OS Version is: 6.1, Service Pack 1
Enter password for RPC/HTTP proxy:
RPCPinging proxy server mail.mycompany.com with Echo Request Packet
Sending ping to server
Response from server received: 403
Ping failed.
Running the same command in WinXP results in a "Ping successful" message. The data sent from WinXP is using HTTP/1.0 and sends a cookie set by the proxy server:
CONNECT mail.mycompany.com:443 HTTP/1.0
User-Agent: RPCPing
Host: mail.mycompany.com
Content-Length: 0
Proxy-Connection: Keep-Alive
Cookie: BCSI-CS-70c76d823e93ac89=2
Proxy-Authorization: Negotiate [Binary NTLM data]
HTTP/1.1 407 Proxy Authentication Required
Proxy-Authenticate: NEGOTIATE [Binary NTLM data]
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: Keep-Alive
Set-Cookie: BCSI-CS-70c76d823e93ac89=2; Path=/
Connection: Keep-Alive
Content-Length: 1112
<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD>
<BODY>
[...]
Your credentials could not be authenticated: "Another round of authentication required.". You will not be permitted access until your credentials can be verified.
[...]
</BODY></HTML>
CONNECT mail.mycompany.com:443 HTTP/1.0
User-Agent: RPCPing
Host: mail.mycompany.com
Content-Length: 0
Proxy-Connection: Keep-Alive
Cookie: BCSI-CS-70c76d823e93ac89=2
Proxy-Authorization: Negotiate [Binary NTLM data]
HTTP/1.1 200 Connection established
When running rpcping on Win7, it uses HTTP/1.1, does not send the cookie and omits the User-Agent, Content-Length and Proxy-Connection headers. Also, the SSL port 443 is specified in the Host header. Some of these differences are probably due to using HTTP/1.1.
CONNECT mail.mycompany.com:443 HTTP/1.1
Host: mail.mycompany.com:443
Proxy-Authorization: Negotiate [Binary NTLM data]
HTTP/1.1 407 Proxy Authentication Required
Proxy-Authenticate: NEGOTIATE [Binary NTLM data]
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: Keep-Alive
Set-Cookie: BCSI-CS-70c76d823e93ac89=2; Path=/
Connection: Keep-Alive
Content-Length: 1112
<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD>
<BODY>
[...]
Your credentials could not be authenticated: "Another round of authentication required.". You will not be permitted access until your credentials can be verified.
[...]
</BODY></HTML>
CONNECT mail.mycompany.com:443 HTTP/1.1
Host: mail.mycompany.com:443
Proxy-Authorization: Negotiate [Binary NTLM data]
HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: Keep-Alive
Connection: Keep-Alive
Content-Length: 888
<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD>
<BODY>
[...]
Access Denied
[...]
</BODY></HTML>
As you can see, the request from Win7 ends in a "403 Forbidden instead" of "200 Connection established".
Examining the binary NTLM data in WireShark, the only differences I have found are:
NTLMSSP_NEGOTIATE XP Win7
======================================= =============== ===============
Flags Negotiate Key Exchange 0 1
Flags Negotiate Lan Manager Key 0 1
Flags Negotiate Sign 0 1
Version 5.1 6.1
Build 2600 7601
NTLMSSP_AUTH XP Win7
======================================= =============== ===============
Session Key "Empty" b99f15...
Flags Negotiate Key Exchange 0 1
Flags Negotiate Sign 0 1
Version 5.1 6.1
Build 2600 7601
MIC Missing 755107...
I'm not sure if these differences might cause the problems, but they are prime suspects. The real question is what I need to change to make the Win7 request identical to the WinXP one. I'm starting to loose my hair over this... :-)
/Andreas
March 20th, 2012 8:57am
Hi,
Since your problematic computer is part of company domain, please have a test with Windows 7 computer which is out of this domain.
Here is one related article can be referred to.
How to troubleshoot client RPC over HTTP connection issues in Outlook 2003
http://support.microsoft.com/kb/827330/en-us
And I think you may redirect this thread to Exchange forum for further assistance.
http://social.technet.microsoft.com/Forums/en-US/category/exchangeserver
Free Windows Admin Tool Kit Click here and download it now
March 22nd, 2012 3:54am
Just want to clarify one thing. Is the proxy same for both xp and win7 machines??
March 22nd, 2012 5:17am
The old computer running WinXP is also part of my company domain, and that works fine. I don't have any other Win7 machines available that I can test either.
Running the test suite on https://www.testexchangeconnectivity.com succeeds without errors, so the Exchange server is accessible from the internet. It is just when accessing it through the customer's proxy I have these problems.
And yes, WinXP and Win7 use the same proxy server.
I have actually found out some more details since my last post. It might not be the NTLM authentication that causes the problems after all. When running from WinXP, the following request is sent:
CONNECT mail.mycompany.com:443 HTTP/1.0
User-Agent: RPCPing
Host: mail.mycompany.com
Content-Length: 0
Proxy-Connection: Keep-Alive
Cookie: BCSI-CS-70c76d823e93ac89=2
Proxy-Authorization: Negotiate [Binary NTLM data]
When running from Win7, only the following headers are sent in the request:
CONNECT mail.mycompany.com:443 HTTP/1.1
Host: mail.mycompany.com:443
Proxy-Authorization: Negotiate [Binary NTLM data]
I ran Chrome (which works fine) first through a proxy on localhost and then through the customer's proxy, and filtered one header field at a time at the local proxy. It turns out that I can remove all extra headers fields used in WinXP, except User-Agent. So
if I inject a User-Agent field in the Win7 request like:
CONNECT mail.mycompany.com:443 HTTP/1.1
User-Agent: RPCPing
Host: mail.mycompany.com:443
Proxy-Authorization: Negotiate [Binary NTLM data]
I then get a "200 Connection established" instead of "403 Forbidden" from the customer's proxy. It seems like the proxy uses this field for some extra access control, even though the HTTP standard specifies that the User-Agent field is optional (but recommended).
So now the question is: How can I make Outlook on Win7 send the User-Agent header field? Is it possible to make Outlook use HTTP/1.0 instead, maybe it will then send the User-Agent like it does on WinXP?
/Andreas
Free Windows Admin Tool Kit Click here and download it now
March 22nd, 2012 7:07am
Loading rpcping.exe into Dependency Walker, it's clear that it uses WinHttp.dll instead of WinInet.dll. Hmm, what would happen if I copied the WinHttp.dll from Windows XP SP3 into C:\Program Files\Microsoft Office\Office11 where Outlook.exe is located?
I can't believe that actually worked, now Outlook sends HTTP/1.0 requests with User-Agent and all the other header fields just like it did on my old computer.
Existing version on Windows 7 SP1: 6.1.7601.17514
Copied version from Windows XP SP3: 5.1.2600.6175
It's not the cleanest solution, but it will have to do for now. If anyone have a better idea, I'll all ears...
/Andreas
March 22nd, 2012 1:06pm
Loading rpcping.exe into Dependency Walker, it's clear that it uses WinHttp.dll instead of WinInet.dll. Hmm, what would happen if I copied the WinHttp.dll from Windows XP SP3 into C:\Program Files\Microsoft Office\Office11 where Outlook.exe is located?
I can't believe that actually worked, now Outlook sends HTTP/1.0 requests with User-Agent and all the other header fields just like it did on my old computer.
Existing version on Windows 7 SP1: 6.1.7601.17514
Copied version from Windows XP SP3: 5.1.2600.6175
It's not the cleanest solution, but it will have to do for now. If anyone have a better idea, I'll all ears...
/Andreas
Free Windows Admin Tool Kit Click here and download it now
March 22nd, 2012 8:06pm