以Matrix的Blog為例，擷取其中的認證過程進行分析(注意，本文中使用的cookie值已經被處理過，呵呵，別想幹壞事握)

測試環境：
域：mydomain.com
域主機：davidturing.mydomain.com
域使用者：[email protected]
代理伺服器：proxyserver.mydomain.com

1） 登陸Windows域（mydomain.com），使用者名稱為davidturing
2） 開啟IE視窗，URL=http://www.matrix.org.cn/blog/cas/，由於公司使用了ProxyServer，員工必須通過ProxyServer才能上網。
於是，IE Client就向Proxyserver請求訪問Matrix Blog。
3） Proxy認證使用了NTLM

1: C --> S GET ...

2: C <-- S 401 Unauthorized
WWW-Authenticate: NTLM

3: C --> S GET ...
Authorization: NTLM

4: C <-- S 401 Unauthorized
WWW-Authenticate: NTLM

5: C --> S GET ...
Authorization: NTLM

6: C <-- S 200 Ok

需要指出，NTLM

4） 握手的過程被我Sniffer了下來，如下文所示：
/******************
Client->ProxyServer:
******************/
GET http://www.matrix.org.cn/blog/cas HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language: zh-cn,en;q=0.8,zh;q=0.5,zh-tw;q=0.3
Cookie: user=cas%3A%3AAq3HtCAsqNlhY%3A%3A1; matrix_user_cookie=Y2FzfDgzMzM4MURELTk17UStMUU4MS05OTJDLTJERDM4RERGNkUyRg==
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon; .NET CLR 2.0.50215)
Host: www.matrix.org.cn
Proxy-Connection: Keep-Alive

{分析：注意，這是一個很簡單的HTTP GET請求，無非是想請求www.matrix.org.cn /blog/cas這張頁面}

/******************
ProxyServer-> Client:
******************/
HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. )
Via:1.1 PROXYSERVER
Proxy-Authenticate: NTLM
Proxy-Authenticate: Kerberos
Proxy-Authenticate: Negotiate
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 2372

．．．．．．返回給客戶端的HTTP實體，提示頁面內容被省略．．．．．．

{分析：接著，ProxyServer要求我提供認證資訊，注意，HTTP 407程式碼的含義是類似於401，表示客戶必須先經過代理伺服器的授權。我們還可以看到，Proxy-Authenticate欄位裡面包含了NTLM,Kerberos，表明可以通過客戶端來Negotiate再決定使用兩者中的一種}

/******************
Client->ProxyServer:
******************/
GET http://www.matrix.org.cn/blog/cas HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language: zh-cn,en;q=0.8,zh;q=0.5,zh-tw;q=0.3
Cookie: user=cas%3A%3AAq3HtCAsqNlhY%3A%3A1; matrix_user_cookie=Y2FzfDgzMzM4MURELTk17UStMUU4MS05OTJDLTJERDM4RERGNkUyRg==
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon; .NET CLR 2.0.50215)
Host: www.matrix.org.cn
Proxy-Connection: Keep-Alive
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB4IAogAAAAAAAAAAAA
AAAAAAAAAFAJMIAAAAD2==

{分析：
這裡，客戶端將自己的NTLM程式碼傳送給伺服器，裡面包含了一些自己的域帳號傳送給ProxyServer，ProxyServer就可以知道使用者是誰，然後去域伺服器取出使用者的域密碼，加密一個隨機字串去Challenge使用者（見下文）。

在NTLM中，這是三次握手的"第一手"(Type1 Message),目的是Client告訴Server兩樣東西：
hoststring:即client的主機名(比如davidturing)
domainstring：即client在域中的名(比如davidturing.mydomain.com)

Proxy-Authorization的資訊結構如下
0 1 2 3
+-------+-------+-------+-------+
0: | 'N' | 'T' | 'L' | 'M' |
+-------+-------+-------+-------+
4: | 'S' | 'S' | 'P' | 0 |
+-------+-------+-------+-------+
8: | 1 | 0 | 0 | 0 |
+-------+-------+-------+-------+
12: | 0x03 | 0xb2 | 0 | 0 |
+-------+-------+-------+-------+
16: | domain length | domain length |
+-------+-------+-------+-------+
20: | domain offset | 0 | 0 |
+-------+-------+-------+-------+
24: | host length | host length |
+-------+-------+-------+-------+
28: | host offset | 0 | 0 |
+-------+-------+-------+-------+
32: | host string |
+ +
. .
. .
+ +-----------------+
| | domain string |
+-------------+ +
. .
. .
[如果資料圖顯示的太醜，可以參考：
http://www.innovation.ch/java/ntlm.html
]
由於擷取的資訊經過BASE64處理,所以，你不可能肉眼從Proxy-Authorization值中判斷出主機名和主機域名:)
}

/******************
ProxyServer-> Client:
******************/
HTTP/1.1 407 Proxy Authentication Required ( ¾Ü¾ø•ÃÎÊ¡£ )
Via:1.1 PROXYSERVER

Proxy-Authenticate:
NTLM TlRMTVNTUAACAAAAGAAYADgAAAAFgoGikmfj
JzhsTW0AAAAAAAAAAIoAigBQAAAABQCTCAAA
AA9IAE4ASQBTAEkALgBDAE8ATQAuAEMATgAC
ABgASABOAEkAUwBJAC4AQwBPAE0ALgBDAE4A
AQAWAFAAUgBPAFgAWQBTAEUAUgBWAEUAUgA
EABgAaABuAGkAcwBpAC4AYwBvAG0ALgBjAG4A
AwAwAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuA
GgAbgBpAHMAaQAuAGMAbwBtAC4AYwBuAAAAA
AA=

Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 0

{分析：這個步驟中，ProxyServer迴應我的IE一個Proxy-Authorization，其值就是上面那段很長的字元，這是一個authcode，目的是Chanllenge客戶端(IE)。Chanllenge是對客戶端的一種身份挑戰，好比方，你說你是張三，OK，伺服器用張三的密碼加密一段咚咚，你能告訴伺服器這段咚咚是什麼，伺服器就相信你了。

這條type-2 Message是的三次握手的第二握。
0 1 2 3
+-------+-------+-------+-------+
0: | 'N' | 'T' | 'L' | 'M' |
+-------+-------+-------+-------+
4: | 'S' | 'S' | 'P' | 0 |
+-------+-------+-------+-------+
8: | 2 | 0 | 0 | 0 |
+-------+-------+-------+-------+
12: | 0 | 0 | 0 | 0 |
+-------+-------+-------+-------+
16: | message len | 0 | 0 |
+-------+-------+-------+-------+
20: | 0x01 | 0x82 | 0 | 0 |
+-------+-------+-------+-------+
24: | |
+ server nonce |
28: | |
+-------+-------+-------+-------+
32: | 0 | 0 | 0 | 0 |
+-------+-------+-------+-------+
36: | 0 | 0 | 0 | 0 |
+-------+-------+-------+-------+
裡面包含了server nounce值，這個值就是Challenge了。我們需要
根據這個8位元組的隨機數構造type-3 message。
}

/******************
Client->ProxyServer:
******************/
GET http://www.matrix.org.cn/blog/cas HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language: zh-cn,en;q=0.8,zh;q=0.5,zh-tw;q=0.3
Proxy-Authorization:
NTLM TlRMTVNTUAADAAAAGAAYAJIAAAAYABgAqgA
AABgAGABIAAAAGAAYAGAAAAAaABoAeAAAA
AAAAADCAAAABYKAogUAkwgAAAAPaABuAGk
AcwBpAC4AYwBvAG0ALgBjAG4AaAB1AGEAbg
BnAHoAaABhAG8AcQBpAG4ASABVAEEATgBHA
FoASABBAE8AUQBJAE4AMQCGRQ1i+bZleAs2A
kgEXS/CfJ3oOrsi6prctAW2HyADaWwbNqmpO1
Eptq7yJUh4SXd=

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon; .NET CLR 2.0.50215)
Host: www.matrix.org.cn
Proxy-Connection: Keep-Alive
Cookie: user=cas%3A%3AAq3HtCAsqNlhY%3A%3A1; matrix_user_cookie=Y2FzfDgzMzM4MURELTk17UStMUU4MS05OTJDLTJERDM4RERGNkUyRg==

{分析：OK，這裡就是IE客戶端響應ProxyServer的Chanllenge，上面的NTLM=TIRMT….就是Challenge迴應碼，如果這段程式碼正確，ProxyServer就承認使用者的身份，就可以讓他到訪問外網資源。

分析一下這個type-3 Message，它的結構如下：
0 1 2 3
+-------+-------+-------+-------+
0: | 'N' | 'T' | 'L' | 'M' |
+-------+-------+-------+-------+
4: | 'S' | 'S' | 'P' | 0 |
+-------+-------+-------+-------+
8: | 3 | 0 | 0 | 0 |
+-------+-------+-------+-------+
12: | LM-resp len | LM-Resp len |
+-------+-------+-------+-------+
16: | LM-resp off | 0 | 0 |
+-------+-------+-------+-------+
20: | NT-resp len | NT-Resp len |
+-------+-------+-------+-------+
24: | NT-resp off | 0 | 0 |
+-------+-------+-------+-------+
28: | domain length | domain length |
+-------+-------+-------+-------+
32: | domain offset | 0 | 0 |
+-------+-------+-------+-------+
36: | user length | user length |
+-------+-------+-------+-------+
40: | user offset | 0 | 0 |
+-------+-------+-------+-------+
44: | host length | host length |
+-------+-------+-------+-------+
48: | host offset | 0 | 0 |
+-------+-------+-------+-------+
52: | 0 | 0 | 0 | 0 |
+-------+-------+-------+-------+
56: | message len | 0 | 0 |
+-------+-------+-------+-------+
60: | 0x01 | 0x82 | 0 | 0 |
+-------+-------+-------+-------+
64: | domain string |
+ +
. .
. .
+ +-------------------+
| | user string |
+-----------+ +
. .
. .
+ +-------------+
| | host string |
+-----------------+ +
. .
. .
+ +---------------------------+
| | LanManager-response |
+---+ +
. .
. .
+ +------------------+
| | NT-response |
+------------+ +
. .
. .
+-------+-------+-------+-------+

domain string: 主機域名(如davidturing.mydomain.com)
user string:使用者名稱(davidturing)
LanManager-response: 類DES的雜湊處理
NT-response:MD4雜湊處理
詳情可參考：
http://samba.kn.vutbr.cz/samba/docs/man/Samba-Developers-Guide/pwencrypt.html
}

/******************
ProxyServer-> Client:
******************/
HTTP/1.1 301 Moved Permanently
Via: 1.1 PROXYSERVER
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 158
Date: Wed, 21 Sep 2005 03:44:57 GMT
Location: http://www.matrix.org.cn/blog//cas/
Content-Type: text/html
Server: Microsoft-IIS/6.0

Object Moved

This document may be found here

{分析：很明顯，ProxyServer已經承認了我的身份，並讓我訪問Matrix了。這裡有一個小插曲，Matrix做了重定向（熟悉HTTP協議的人應該知道HTTP 301表示move permanetly，即客戶請求的文件在其他地方，新的URL在Location頭中給出，瀏覽器應該自動地訪問新的URL。）比如，如果我們直接訪問http://www.matrix.org.cn/blog//cas/，伺服器會IE重定向到http://61.142.81.140:9703/blog/cas/，你在頁面上不會察覺到這一點。Chris估計是想做備份吧？Blog這東西經常出問題。}

到此，我們已經通過了Proxy認證了，下面的通訊的Traffic我就不想說了，反正就是先取HTML網頁，再取網頁的Style.css，有一個先後順序，大家不必關心了。

/******************
Client->ProxyServer:
******************/
GET http://www.matrix.org.cn/blog//cas/ HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language: zh-cn,en;q=0.8,zh;q=0.5,zh-tw;q=0.3
If-Modified-Since: Mon, 19 Sep 2005 03:19:14 GMT
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon; .NET CLR 2.0.50215)
Host: www.matrix.org.cn
Proxy-Connection: Keep-Alive
If-None-Match: "ea7c9ee9c8bcc51:10a4"
Cookie: user=cas%3A%3AAq3HtCAsqNlhY%3A%3A1; matrix_user_cookie=Y2FzfDgzMzM4MURELTk17UStMUU4MS05OTJDLTJERDM4RERGNkUyRg==

/******************
ProxyServer-> Client:
******************/
HTTP/1.1 200 OK
Via: 1.1 PROXYSERVER
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 36149
Date: Wed, 21 Sep 2005 03:44:57 GMT
Content-Location: http://www.matrix.org.cn/blog//cas/index.html
Content-Type: text/html
Server: Microsoft-IIS/6.0
Last-Modified: Tue, 20 Sep 2005 14:29:13 GMT
Accept-Ranges: bytes
ETag: "4a5cbacefbdc51:10ce"

．．．．頁面內容被省略．．．．．．．．．

/******************
Client->ProxyServer:
******************/
GET http://www.matrix.org.cn/blog/cas/styles-site.css HTTP/1.0
Accept: */*
Referer: http://www.matrix.org.cn/blog//cas/
Accept-Language: zh-cn,en;q=0.8,zh;q=0.5,zh-tw;q=0.3
Proxy-Connection: Keep-Alive
If-Modified-Since: Sat, 13 Aug 2005 13:23:57 GMT
If-None-Match: "3cea6142aa0c51:10a4"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon; .NET CLR 2.0.50215)
Host: www.matrix.org.cn
Cookie: user=cas%3A%3AAq3HtCAsqNlhY%3A%3A1; matrix_user_cookie=Y2FzfDgzMzM4MURELTk17UStMUU4MS05OTJDLTJERDM4RERGNkUyRg==

/******************
ProxyServer-> Client:
******************/
HTTP/1.1 200 OK
Via: 1.1 PROXYSERVER
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 5379
Date: Wed, 21 Sep 2005 03:44:57 GMT
Content-Type: text/css
Server: Microsoft-IIS/6.0
Last-Modified: Sat, 13 Aug 2005 13:23:57 GMT
Accept-Ranges: bytes
ETag: "3cea6142aa0c51:10ce"

body {
margin:0px 0px 20px 0px;
background:#FFF;
}
A { color: #003366; text-decoration: underline; }
A:link { color: #003366; text-decoration: underline; }
．．．．．styles-site.css內容被省略 ．．．．．
padding-right:15px;
padding-top:5px;
padding-bottom:5px;
}