On Fri, 27 Feb 2004, Andrej G. Zadorozhnyj wrote:
> My problem: user "kgi" from NT domen "sdpmz" browses www.ya.ru. In
> access.log I see next information:
> 10.2.5.52 TCP_DENIED/407 1673 GET http://ya.ru/ - NONE/-
> 10.2.5.52 TCP_DENIED/407 1673 GET http://ya.ru/ - NONE/-
> 10.2.5.52 TCP_MISS/200 1566 GET http://ya.ru/ - DIRECT/213.180.194.129
> 10.2.5.52 TCP_DENIED/407 1730 GET http://www.yandex.ru/yandsearch? - NONE/-
> 10.2.5.52 TCP_DENIED/407 1730 GET http://www.yandex.ru/yandsearch? - NONE/-
> 10.2.5.52 TCP_MISS/200 5845 GET http://www.yandex.ru/yandsearch? sdpmz\kgi DIRECT/213.180.194.12
>
> First and second string say me about auth process and in third string I
> want see "domain\user", but it is in sixth string only, after user "kgi"
> completed his find-request.
The reason to this is how NTLM operates.
For each new TCP connection opened by the browser to the proxy there is
two TCP_DENIED/407 with no username, indicating NTLM is negotiating the
authentication. When the connection is authenticated the request is
forwarded to the requested server (TCP_MISS ... DIRECT)
Regards
Henrik
Received on Fri Feb 27 2004 - 04:30:39 MST
This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:03 MST