Jump to content

SSL/TLS filtering blocks HTTP web authentication with NTLM/Negotiate


Recommended Posts

We have an issue were users cannot authenticate on an web page using:

WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate

When accessing the URL, the user gets the credentials prompt from it's browser (Firefox or Chromium) but gets re-prompted (occurs when the server rejects the credentials and tells the browser with a 401 HTTP response which re-ask for credentials).

When I disable the "SSL/TLS filtering" authentication works fine.

I have no issue authenticating on HTTP Basic Auth (WWW-Authenticate: Basic realm="foo").

I am not really used to NTLM authentication: is there something I can configure to keep filtering SSL/TLS but make NTLM auth work?


  • Windows 10 Pro
  • ESET Endpoint Security v10.0.2045.0
Link to comment
Share on other sites

It a (third-party owned) preproduction/staging web site.

Accessed over the public Internet using a public FQDN (not an IP).

TLS certificates looks OK: issued by Sectigo and USERTrust.

The Qualys SSL Labs tests returns no special error on the certificates (content and path).

Link to comment
Share on other sites

  • 1 month later...
  • ESET Moderators

Hello @cyb,

I found a similar case from the past

This behavior might be a security feature of the underlying authentication protocol (see https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/extended-protection-for-authentication-overview). 

We recommend to create an exception on the affected endpoints (this is the preferred solution):

  1. Open the following configuration path: Web and email -> SSL/TLS -> List of known certificates
  2. Click Add, URL, enter extwadfs2v.seas.sk (alternatively you can import the certificate manually by clicking File)
  3. Change Scan action to Ignore

note for us: P_EESW-2983

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...