If you have NTLM enabled it is expected that your Access Log will contail a large number of 401 or 407 TCP_DENIED messge. If you are also logging the username. It will appear a =-= during the NEGOTIATE portion of the transaction since the username is not yet known.

The standard NTLM sequencing involves an NTLM SSP NEGOTIATE as wel as an NTLM SSP CHALLENGE. This sequence therefore results in what would look like two failed attempts to authenticae followed by one that results in success if you were to look at an access log or a policy trace.

Client –> Proxy GET

Th sequence above, which is what occurs when a client authenticate via NTLM, will appear as two filed authentication atempts followed by one that is successfull. The failed attempts also will not contain a username. This is normal behavior.

[16/May/2004:12:00:00 +0000] 2 172.16.1.1 TCP_DEIED/407 1101 GET www.example.com/index.html NONE/- -none ICAP_NOT_SCANNED

[16/May/2004:12:00:00 +0000] 104 172.16.1.1 TCP_DEIED/407 1333 GET www.example.com/index.html NONE/- -none ICAP_NOT_SCANNED

[16/May/2004:12:00:01 +0000] 528 172.16.1.1 TCP_NC_MISS/200 7300 GET www.example.com/index.html MSSQLNET\PXG
DIRECT/www.example.com application/octet-stream none ICAP_REPLACED

The following two line policy can be added to your existing policy to suppress 407 responses from the access log.

<Exception>
exception.id=("authentication_redirect_from_virtual_host","authentication_redirect_to_virtual_host","authentication_failed") access_log[main] (no)