Re: Windows NTLM authenticator

From: <>
Date: Mon, 8 Sep 2003 12:17:40 +0200

Hi everybody,

I've not understood how and why but I've resolved random pop-up windows
with the following patch applied to squid-2.5.STABLE2.
In my old troubleshooting sessions I've noticed that the correct sequence
YR->TT->KK->AF was not followed in the right way: a new YR->TT sequence
was starting in the middle of an old one for the same (already busy)
helper. This led to the pop-up.
I looked like the selection of helpers was "broken" if all the helpers
were busy.

I Hope this can help you in catching the real issue with random pop-ups.


-------------------------------- CUT HERE --------------------------------
--- squid-2.5.STABLE2-20030401/src/auth/ntlm/auth_ntlm.c 2003-02-05
00:17:26.000000000 +0100
+++ squid-2.5.STABLE2-20030401-ntmulti/src/auth/ntlm/auth_ntlm.c
2003-05-16 14:56:17.000000000 +0200
@@ -719,15 +719,7 @@
        server = helperStatefulDefer(ntlmauthenticators);
        helperstate = server ? helperStatefulServerGetData(server) : NULL;
- while ((server != NULL) &&
authenticateNTLMChangeChallenge_p(helperstate)) {
- /* flag this helper for challenge changing */
- helperstate->starve = 1;
- /* and release the deferred request */
- helperStatefulReleaseServer(server);
- /* Get another deferrable server */
- server = helperStatefulDefer(ntlmauthenticators);
- helperstate = server ? helperStatefulServerGetData(server) :
- }
+ if (helperstate) helperstate->starve = 1;
        if (server == NULL)
            debug(29, 9) ("unable to get a deferred ntlm helper... all
helpers are refreshing challenges. Queuing as a placeholder request.\n");
-------------------------------- CUT HERE --------------------------------

>Serassio Guido <>
>Hi Robert,
>Il 23.31 07/09/2003 Robert Collins ha scritto:
>>On Mon, 2003-09-08 at 04:03, Serassio Guido wrote:
>>ntlm caching cannot be used with the windows backend, as you aren't
>>choosing your challenge - it's being supplied.
>My impression was correct.
>The helper currently don't allow the reuse of a challenge with a sort of
>two state architecture:
>YR => TT with a challenge generated from a fake negotiate packet
>KK => AF or NA
>and again
>YR => TT
>KK => AF or NA
>if a KK is got with an already used challenge, a BH is generated.
>It seems that in Squid there is a problem:
>I'm using auth_param ntlm max_challenge_reuses 0, but sometimes I get a
>without a YR, the helper sends a BH to squid and Internet Explorer
>for authentication.
>>Kinkie has a patch in development to supply the negotiate to the helper,
>>and force the squid.conf settings to a compatible level.. will try to
>>find time to review it, so we can move it along.
>Very interesting, the helper is ready for the real NEGOTIATE packet.
Received on Mon Sep 08 2003 - 04:17:48 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:20:40 MST