Recently a colleague pointed me at the following Blue Coat KB about NTLM issues as basically the iPhones on the corp network were getting multiple authentication challenges even though the username & password are saved in the connection profile!
To resolve we created a second authentication realm on the bluecoat with Kerberos & NTLM authentication disabled ( i.e. only basic auth), we then created an authentication rule which matches user agent strings and authenticates against the new basic-only realm. Below is some command lines to point you in the right direction:
!- BEGIN authentication
security iwa create-realm uk 10.10.10.10 16101
security iwa edit-realm uk ;mode
alternate-server 10.10.10.11 16101
exit
security iwa create-realm ukBasicAuth 10.10.10.10 16101
security iwa edit-realm ukBasicAuth ;mode
alternate-server 10.10.10.11 16101
credentials-kerberos disable
credentials-ntlm disable
exit
I should point out that the KB is out of date; upon implementing we noticed a lot of windows users getting unwanted authentication challenges therefore I suggest you only match against iphone & ipad... in-fact I stuck Macintosh in as well and my macbook is getting less challenges too!
Enjoy the CPL goodness below!
;; Description: BlueCoat KB4741
define condition __CondList1BasicUserAgents
request.header.User-Agent="iphone"
request.header.User-Agent="ipad"
request.header.User-Agent="Macintosh"
request.header.User-Agent="CFNetwork"
end condition __CondList1BasicUserAgents
define condition BasicUserAgents
condition=__CondList1BasicUserAgents
end condition BasicUserAgents
<Proxy>
condition=BasicUserAgents authenticate(ukBasicAuth) authenticate.force(no) authenticate.mode(proxy) ; KB4741
authenticate(uk) authenticate.force(yes) authenticate.mode(proxy) ; All Internet Traffic