Re: Windows NTLM authenticator from Serassio Guido on 2003-09-08 (squid-dev)

From: Serassio Guido <guido.serassio@dont-contact.us>
Date: Mon, 08 Sep 2003 10:43:27 +0200

Hi Henrik,

At 09.13 08/09/2003, Henrik Nordstrom wrote:

>On Sun, 7 Sep 2003, Serassio Guido wrote:
>
> > I have tried too this solution, but the things seems to more instable.
>
>In what way?

Very high rate of random authentication pop-ups.

> > I have some doubt about challenge's reuse: with this type authenticator,
> > challenge can be reused ?
>
>The challenge packet should never be reused, but if you have clients which
>are guaranteed to be compatible then it may work for NTLM if you are
>lucky.

As in the other message to Robert:

It seems that in Squid there is a problem:
I'm using auth_param ntlm max_challenge_reuses 0, but sometimes I get a KK
without a YR, so the helper sends a BH to squid and Internet Explorer
pop-ups for authentication.

>In NTLMv2 the challenge packet can not be reused at all.
>
> > Another question: it works fine with Mozilla's NTLM and with IE when the
> > machine is in the right domain, when the machine is in another domain, IE
> > pop-up randomly asking username/password/domain again.
>
>No idea.
>
> > So, if possible, do you can give a look to the sources to see if there
> > anything missing ?
>
>I can try, but I am very buzy with other tasks at the moment.
>
>Robert or Kinkie: Do you have any possibility to look into this?
>
>To make such verification easier, please collect the following pieces of
>information:
>
>1. access.log with log_mime_hdrs
>2. traffic to/from the helper, identified by helper instance
>3. calls & responses from the Windows SSP module, identified by helper
>instance.

OK, i will collect some transation logs, currently I have tested it with NT
4, 2000 and 2003 clients.

I have added to the helper an hex dump capability to dump in hex format the
NTLM packets in the log, this is very useful to check what happens.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l.
Via Gorizia, 69 10136 - Torino - ITALY
Tel. : +39.011.3249426 Fax. : +39.011.3293665
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Mon Sep 08 2003 - 02:46:27 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:20:40 MST