Sam Uong

Do you have (or are able to install) [curl](https://curl.se/)? If so, you can use something like this to see the Proxy-Authenticate header at each step of the NTLM handshake: ```...

I'm not sure that's correct. According to your link, only iOS and iPadOS (but not macOS) support "Negotiation challenges", and even that only handles "HTTP 401 Negotiate challenges" not HTTP...

Not sure if you've got a proxy that uses Kerberos auth to test against; if so, does this work for you? When I've tried this in the past Alpaca received...

I was expecting the ticket to be attached to an HTTP request - i.e. I thought it was application-level auth, not a network-level. Basically the client sends a request and...

Thanks for testing guys, that's really interesting. Alpaca will only do an NTLM handshake if the proxy sends back a 407 Proxy Authentication Required response - all requests are initially...

Yep, I think that makes sense, we should be logging that anyway. I'll have a go at tidying up the `log-407s` branch so that it does that.

The more I think about this, the more I think that users should just download a PAC file themselves and configure Alpaca to download the PAC file from a file://...

I'd like to avoid any user prompts so that Alpaca can run in daemon mode if needed (e.g. within a Docker container). I can think of a few more options...

I get that it's a bit of a hassle, but it'd be nice to have a way to detect problems rather than just being helpless. I'm open to the idea...

This issue was filed during a period of time when Alpaca was coming together, and I had to think all the design decisions and error cases that could arise. I've...