Recently a colleague pointed me at the following Blue Coat KB about NTLM issues as basically the iPhones on the corp network were getting multiple authentication challenges even though the username & password are saved in the connection profile!
To resolve we created a second authentication realm on the bluecoat with Kerberos & NTLM authentication disabled ( i.e. only basic auth), we then created an authentication rule which matches user agent strings and authenticates against the new basic-only realm. Below is some command lines to point you in the right direction:
!- BEGIN authentication security iwa create-realm uk 10.10.10.10 16101 security iwa edit-realm uk ;mode alternate-server 10.10.10.11 16101 exit security iwa create-realm ukBasicAuth 10.10.10.10 16101 security iwa edit-realm ukBasicAuth ;mode alternate-server 10.10.10.11 16101 credentials-kerberos disable credentials-ntlm disable exit
I should point out that the KB is out of date; upon implementing we noticed a lot of windows users getting unwanted authentication challenges therefore I suggest you only match against
ipad... in-fact I stuck
Macintosh in as well and my macbook is getting less challenges too!
Enjoy the CPL goodness below!
;; Description: BlueCoat KB4741 define condition __CondList1BasicUserAgents request.header.User-Agent="iphone" request.header.User-Agent="ipad" request.header.User-Agent="Macintosh" request.header.User-Agent="CFNetwork" end condition __CondList1BasicUserAgents define condition BasicUserAgents condition=__CondList1BasicUserAgents end condition BasicUserAgents <Proxy> condition=BasicUserAgents authenticate(ukBasicAuth) authenticate.force(no) authenticate.mode(proxy) ; KB4741 authenticate(uk) authenticate.force(yes) authenticate.mode(proxy) ; All Internet Traffic