===== TCP_DENIED and no username logged when NTLM enabled =====

If you have NTLM enabled it is expected that your Access Log will contail a large number of 401 or 407 TCP_DENIED messge. If you are also logging the username. It will appear a =-= during the NEGOTIATE portion of the transaction since the username is not yet known.

The standard NTLM sequencing involves an NTLM SSP NEGOTIATE as wel as an NTLM SSP CHALLENGE. This sequence therefore results in what would look like two failed attempts to authenticae followed by one that results in success if you were to look at an access log or a policy trace.

Client --> Proxy GET 

| Client | Proxy | GET %%www.site.com%% |
| Proxy | Client | 407 Proxy Authentication NTLM/BASIC |
| Client | Proxy | %%www.site.com%% NTLM SSP NEGOTIATE |
| Proxy | Client | 407 Proxy Authentication NTLM SSP CHALLENGE |
| Client | Proxy | GET %%www.site.com%% NTLM SSP AUTH |
| Proxy | Client | 200 Okay (Data) |

Th sequence above, which is what occurs when a client authenticate via NTLM, will appear as two filed authentication atempts followed by one that is successfull. The failed attempts also will not contain a username. This is normal behavior.

=== Example Log ===
<code>
[16/May/2004:12:00:00 +0000] 2 172.16.1.1 TCP_DEIED/407 1101 GET www.example.com/index.html NONE/- -none ICAP_NOT_SCANNED

[16/May/2004:12:00:00 +0000] 104 172.16.1.1 TCP_DEIED/407 1333 GET www.example.com/index.html NONE/- -none ICAP_NOT_SCANNED

[16/May/2004:12:00:01 +0000] 528 172.16.1.1 TCP_NC_MISS/200 7300 GET www.example.com/index.html MSSQLNET\PXG
DIRECT/www.example.com application/octet-stream none ICAP_REPLACED
</code>

=== Modify Logging to suppress first two log entries ===
The following two line policy can be added to your existing policy to suppress 407 responses from the access log.

<code>
<Exception>
exception.id=("authentication_redirect_from_virtual_host","authentication_redirect_to_virtual_host","authentication_failed") access_log[main] (no)
</code>