Here is my study case:

browser ---> apache proxy ---> ISA server ---> internet

The ISA server requires an authentication.

The issue is to allow HTTPS through the two proxies.

A configuration that works with HTTP is something like this: (yes, I don't want to use ProxyPass but ProxyRequests)

<virtualhost *:8080>
 ...
 SetEnv auth-proxy-chain on
 ...
 ProxyRequests On
 ProxyRemote * http://isaproxy:80
 ...
 <proxy *>
  AuthName "ISA server auth"
  AuthType Basic
  [here a module to authenticate]
  require valid-user
  Allow from all
 </proxy> 
 ...
 </virtualhost>

The user can authenticate on the apache proxy then the authentication chain is sent to the ISA server that allows the HTTP trafic.

But, while the browser switchs to HTTPS, the ISA server "speaks" NTLM and breaks the authentication on the apache proxy.

If I try to use the SSPI module (ntlm) with something like this:

blablabla

  <proxy *>
    AuthName "ISA server auth"
    AuthType ntlm
    [ SSPI stuff ]
    Require valid-user
    Allow from all
   </proxy>

The apache server reject the authentication (or the ISA server I don't really know).

I use wireshark to look at the nominal process while using directly the ISA server as proxy. The first auth-chain is a BASIC type then it switchs to NTLM (and the challenge continues with NTLM).

How should I configure apache that it transfers the NTLM authentication to the ISA proxy without checking it(*)? Or to rewrite headers to force BASIC authentication?

(*) It seems not to be as easy as it seems...