Fiddler uses NTLM authentication instead of Kerberos

1 posts, 0 answers
  1. Simon
    Simon avatar
    1 posts
    Member since:
    Jul 2016

    Posted 19 Jul 2016 Link to this post


    I am behind a squid http proxy (doesn't allow socks connections) in my work environment and can't access the internet from the command line, so I'm trying to use Fiddler as a proxy to e.g. install VS Code or Atom Packages. I am able to install npm packages using Fiddler as the proxy, but it doesn't work for either VS Code extensions or Atom packages.

    When Fiddler creates the http tunnel, I get a "407 Proxy Authentication Required" with "Proxy-Authenticate: Negotiate" (and Basic realm) as expected, and then Fiddler tries to authenticate using NTLM (Proxy-Authorization header value starts with "Negotiate TlRMT..."). I have the "Automatically Authenticate" rule enabled. The proxy server responds with a 407 again and in the response body it says "Cache Access Denied. Sorry, you are not allowed to request <domain>:<port> from this cache until you have authenticated yourself."

    These are the response headers of the second 407 response:

    HTTP/1.1 407 Proxy Authentication Required
    Server: squid
    Mime-Version: 1.0
    Date: Tue, 19 Jul 2016 11:31:52 GMT
    Content-Type: text/html
    Content-Length: 3329
    Vary: Accept-Language
    Content-Language: en
    Proxy-Authenticate: Negotiate
    Proxy-Authenticate: Basic realm="Internet Access"
    X-Cache: MISS from <proxy-server-name>
    Connection: close
    Proxy-Support: Session-Based-Authentication


    I investigated and am quite sure that I need Kerberos authentication instead of NTLM. I logged other requests with WireShark/Firefox developer tools and they all use Kerberos. So my question is: Can I force Fiddler to use Kerberos authentication? Or is there a specific reason that makes Fiddler use NTLM instead of Kerberos?

    Also what I don't understand is why npm can install packages but apm (Atom package manager) can't. According to the apm readme the only relevant difference is that "Atom packages are installed from GitHub repositories instead of". When I install a npm package, I only see http tunnels to with response code 200, there isn't even one 407 response in Fiddler (no proxy auth required?). When trying to install an apm package, it says "tunneling socket could not be established, statusCode =407 (5 attempts)", and for each attempt I see two http tunnels to as described above (second one rejects NTLM authentication).


    Thank you for any help!

Back to Top