Technical Tip: NTLM authentication is not working for explicit proxy

Reviewing WAD debug logs may reveal that the FortiGate is sending a 407 error repmsg_id 16.

diagnose wad filter process-id-by-src <IP_address_of_client>
diagnose wad debug enable level verbose
diagnose wad debug enable category auth
diagnose wad debug enable category http
diagnose debug console timestamp enable
diagnose debug enable

[I][p:435][s:86573982][r:89442614] wad_http_str_canonicalize :2196 enc=0 path=/ len=1 changes=0
[I][p:435][s:86573982][r:89442614] wad_http_req_detect_special :16110 captive_portal detected: false, preflight=(null)
[I][p:435][s:86573982][r:89442614] wad_http_dns_resolve :8350 [0x7f4df8b0fd08] DNS request name=myportal.xyzxyzyznotreal.com len=21 type/pref/pref-strict=0/0/0
[I][p:435][s:86573982][r:89442614] wad_http_dns_request_done :13588 [0x7f4df8b0fd08] DNS resolved: x3.228.64.x3
[I][p:435][s:86573982][r:89442614] __wad_http_build_replmsg_resp :789 Generating replacement message. 407 error repmsg_id 16 

The HTTP 407 error indicates that the request failed because the proxy server between the user and the destination server requires authentication, but valid credentials were not supplied.

The repmsg_id 16 is a specific message identifier that can help pinpoint the cause of the failure, although the main issue remains unchanged: the proxy server is denying access until authentication is completed.

Resolution:

Ensure the correct user with the correct password is used in the explicit proxy policy.