When your proxy is connected to the Active Directory, you can see that requests are refused twice by the proxy.
This behavior is normal and users did not see these connections refused.
- When browsers send the request, the proxy ask to browsers to send NTLM identification.
- But browsers did not send correct authentication protocol, they try to send basic method first and they are refused by the proxy. In this second step proxy ask an NTLM authentication.
- Browsers send NTLM authentication and then the proxy accept to forward requests.