Fiddler uses NTLM authentication instead of Kerberos

1 posts, 0 answers
  1. Simon
    Simon avatar
    1 posts
    Member since:
    Jul 2016

    Posted 19 Jul Link to this post

    Hi,

    I am behind a squid http proxy (doesn't allow socks connections) in my work environment and can't access the internet from the command line, so I'm trying to use Fiddler as a proxy to e.g. install VS Code or Atom Packages. I am able to install npm packages using Fiddler as the proxy, but it doesn't work for either VS Code extensions or Atom packages.

    When Fiddler creates the http tunnel, I get a "407 Proxy Authentication Required" with "Proxy-Authenticate: Negotiate" (and Basic realm) as expected, and then Fiddler tries to authenticate using NTLM (Proxy-Authorization header value starts with "Negotiate TlRMT..."). I have the "Automatically Authenticate" rule enabled. The proxy server responds with a 407 again and in the response body it says "Cache Access Denied. Sorry, you are not allowed to request <domain>:<port> from this cache until you have authenticated yourself."

    These are the response headers of the second 407 response:

    HTTP/1.1 407 Proxy Authentication Required
    Server: squid
    Mime-Version: 1.0
    Date: Tue, 19 Jul 2016 11:31:52 GMT
    Content-Type: text/html
    Content-Length: 3329
    X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
    Vary: Accept-Language
    Content-Language: en
    Proxy-Authenticate: Negotiate
    Proxy-Authenticate: Basic realm="Internet Access"
    X-Cache: MISS from <proxy-server-name>
    Connection: close
    Proxy-Support: Session-Based-Authentication

     

    I investigated and am quite sure that I need Kerberos authentication instead of NTLM. I logged other requests with WireShark/Firefox developer tools and they all use Kerberos. So my question is: Can I force Fiddler to use Kerberos authentication? Or is there a specific reason that makes Fiddler use NTLM instead of Kerberos?

    Also what I don't understand is why npm can install packages but apm (Atom package manager) can't. According to the apm readme the only relevant difference is that "Atom packages are installed from GitHub repositories instead of npmjs.com". When I install a npm package, I only see http tunnels to registry.npmjs.org:443 with response code 200, there isn't even one 407 response in Fiddler (no proxy auth required?). When trying to install an apm package, it says "tunneling socket could not be established, statusCode =407 (5 attempts)", and for each attempt I see two http tunnels to atom.io:443 as described above (second one rejects NTLM authentication).

     

    Thank you for any help!

Back to Top