Chaining to proxy and Kerberos

[Mike S.]

Hi There,

 

I am new to Fiddler and need some help with chaining to an upstream proxy that requires Kerberos authentication.

 

The scenario is this: Users have IE (several versions from 9 to 11) configured to use McAfee Web Gateway as a proxy.  The rules on the gateway require Kerberos authentication, and it works well.  Some users need to inspect pages and use Fiddler to help with that, however when they launch Fiddler, they see 407 result codes and the web gateway is requesting authentication.  The response header is “Proxy-Authenticate: Negotiate” and the request header is “Proxy-Authorization: Negotiate TlRM…”  If I’m not mistaken, this is an NTLM request. 

 

So the question is: how should Fiddler (v4.4.6.2) be configured to chain to an upstream proxy that requires Kerberos authentication?

 

I’ve noted other posts here that refer to an ‘Automatically Authenticate’ option item on the Rules menu and it’s been suggested that this option might help.  Unfortunately, my Fiddler version does not have that option, so I haven’t tested that specifically.  Perhaps there is another way to set it?

 

Thanks for any help or pointers you have.

 

Cheers,

Mike

 

[EricLaw]

Hi, Mike--

You haven't yet explained what problem is encountered? It's expected that an upstream proxy server will send a HTTP/407 response back to a client to trigger that client to provide authentication, and it's expected that this 407 is visible in Fiddler. Perhaps you're saying that users see a visible authentication prompt and they normally don't? Or maybe that the authentication fails?

The Automatically Authenticate option on the Rules menu is an option provided by the FiddlerScript file; it's been included in the default rules script for quite some time, but it's possible that you're still using an older script file carried over from an older install of Fiddler. You can either copy over the change from the SampleRules.js file, or if you haven't made any custom modifications to your %userprofile%\documents\fiddler2\scripts\customrules.js that you want to keep, you can simply delete that file and restart Fiddler, which will then regenerate the file using the current SampleRules file. This option may resolve any issue you have with proxy authentication if the proxy is using Channel Binding Tokens or a similar technique to prevent credential re-use.

Tip: The Auth tab in Fiddler will show you what sorts of authentication challenges and messages are sent and received.

-Eric

[Mike S.]

Hi Eric,

So the problem was what you discussed on the MSDN blog (http://blogs.msdn.com/b/fiddler/archive/2011/09/04/fiddler-http-401-authentication-workaround-to-support-channel-binding-tokens-removing-endless-prompts.aspx), where the users are constantly prompted for credentials, and providing valid credentials does not help.

I did delete the old js file and now I see some of the features that others have spoken of :)

I still did not get it to work, I tried three attempts:

 

1) Just enable Rules -> Automatically Authenticate

2) Use the script mod from the MSDN blog, but tune the EndsWith domain to match our network

3) Change the condition that triggers the X-AutoAuth setting so that if fires (in try #2, it didn't fire) by testing for responseCode == 407. It did fire (I can tell because the background color was pink, but it still did not address the issue.

 

Below is a screen shot of my fiddler session. I'm hoping there is something there that can help...

Let me know if there is something else I should try.

Thanks,

Mike

 

 

 

 

 

[EricLaw]

Can you email me a Fiddler SAZ file showing this traffic (Help > Send Feedback in Fiddler)? Thanks!

[Dave Syckle]

Mike

Did you ever figure this out? I am trying to use Fiddler behind McAfee Web Gateways with Kerberos as well.

[Eric Lawrence]

Dave-- What problem(s) are you encountering?