Basic authentication mode has been added to the Active Directory connection parameters.
The proxy still requires authentication via popups
Take a look on the realtime requests, if you see “received type 1 NTLM token” its means that your browsers use NTLM and not basic to be authenticated
This can happen because Windows clients, even when not connected to a domain, sometimes automatically try to use NTLM (especially if they detect a local network) for authentication.
The proxy expects either Kerberos or Basic authentication, but NTLM is being sent, which Proxy's Negotiate authenticator can't handle properly.
¶ Force the Browser to Use Basic Authentication:
To prevent the browser from automatically trying NTLM, you need to configure the browser settings to fall back on Basic authentication or use it directly.
¶ For Internet Explorer/Edge/Chrome:
Since Chrome shares the same configuration as Internet Explorer on Windows, you can modify the settings for both:
Disable NTLM and Allow Kerberos/Basic:
- Click Custom level... under the Security tab for Local Intranet.
- Scroll down to User Authentication > Logon.
- Select Automatic logon only in Intranet zone or Prompt for user name and password. This setting ensures that the browser attempts Kerberos first and falls back to Basic authentication without using NTLM.
¶ Enable Integrated Windows Authentication:
- In Internet Options, go to the Advanced tab.
- Ensure that Enable Integrated Windows Authentication is checked. This will allow Kerberos to be used when accessing internal domains.
¶ Group Policy Settings (Optional):
If you're in a corporate environment and need to enforce this policy for multiple users, you can use Group Policy to enforce these settings.
- Open Group Policy Editor (
gpedit.msc). - Go to
Computer Configuration > Administrative Templates > System > Credentials Delegation - Look for any policies related to NTLM and ensure that they are disabled.
Alternatively, you can configure Trusted URIs for Kerberos authentication by adjusting the following policies:
Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page.- Site to Zone Assignment List: Add your proxy or domain to the Intranet zone.
¶ For Firefox
For Firefox: In about:config, set trusted URIs for automatic Kerberos authentication:
search for ntlm work and turn to false or empty on any parameter
eg
network.automatic-ntlm-auth.allow-non-fqdn falsenetwork.negotiate-auth.allow-insecure-ntlm-v1 falsenetwork.automatic-ntlm-auth.trusted-uris Emptynetwork.negotiate-auth.trusted-uris Emptynetwork.automatic-ntlm-auth.allow-proxies False
After making these changes, restart Firefox to ensure the new settings take effect.