On Fri, 27 Feb 2004, Andrej G. Zadorozhnyj wrote: > My problem: user "kgi" from NT domen "sdpmz" browses www.ya.ru. In > access.log I see next information: > 10.2.5.52 TCP_DENIED/407 1673 GET http://ya.ru/ - NONE/- > 10.2.5.52 TCP_DENIED/407 1673 GET http://ya.ru/ - NONE/- > 10.2.5.52 TCP_MISS/200 1566 GET http://ya.ru/ - DIRECT/213.180.194.129 > 10.2.5.52 TCP_DENIED/407 1730 GET http://www.yandex.ru/yandsearch? - NONE/- > 10.2.5.52 TCP_DENIED/407 1730 GET http://www.yandex.ru/yandsearch? - NONE/- > 10.2.5.52 TCP_MISS/200 5845 GET http://www.yandex.ru/yandsearch? sdpmz\kgi > DIRECT/213.180.194.12 > > First and second string say me about auth process and in third string I > want see "domain\user", but it is in sixth string only, after user "kgi" > completed his find-request.
The reason to this is how NTLM operates. For each new TCP connection opened by the browser to the proxy there is two TCP_DENIED/407 with no username, indicating NTLM is negotiating the authentication. When the connection is authenticated the request is forwarded to the requested server (TCP_MISS ... DIRECT) Regards Henrik
