NTLM proxy authentication as Local System on Windows Server 2008

Question

I have an application that is required to send HTTP requests via a proxy supporting only NTLM authentication against the local domain controller. I am using a libcurl SSPI build to send requests which is working on Windows 7+ as Local System and Windows Server 2008 as a Domain user.

When I run the application as the Local System user on S2008 however, authentication with the proxy fails. Inspection of the NTLM handshake reveals that:

• The 'Negotiate Anonymous' flag is set by the S2008 client and
• No user details are being sent.

On Windows 7 + anonymous auth is not used, and the computer identity credentials are used instead. Some research indicates that use of computer credentials instead of anonymous NTLM authentication is a new feature in Windows 7+ (see technet) so, if this is the case, are there any ways I can enable anonymous auth on the domain controller or proxy to allow the anonymous authentication to succeed?

I am using a Squid 3.2.8 proxy with winbind and a Windows Server 2012 R2 domain controller.

Answer 1

These problems with authentication on Windows Server 2008 are due to differences in NTLM functionality on Windows 7 / Windows Server 2008 R2 +.

In order to enable authentication of these legacy operating systems three Group Policy settings must be enabled and configured in Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options:

• Network security: Minimum session security for NTLM SSP based (including secure RPC) clients - Clear "Require 128-bit encryption"
• Network security: Minimum session security for NTLM SSP based (including secure RPC) servers - Clear "Require 128-bit encryption"
• Network security: Allow Local System to use computer identity for NTLM - Enable this policy

With these changes applied the legacy operating systems are able to authenticate and traverse the proxy successfully.