Re: NTLM status: update from Serassio Guido on 2003-11-22 (squid-dev)

From: Serassio Guido <guido.serassio@dont-contact.us>
Date: Sat, 22 Nov 2003 21:22:15 +0100

Hi Henrik,

At 15.03 22/11/2003, Henrik Nordstrom wrote:

>On Sat, 22 Nov 2003, Serassio Guido wrote:
>
> > With IE 6 SP1, when browsing a ftp:// url, IE always pop-ups for
> > authentication when trying to download internal ftp icons from Squid.
> > But changing the IE default security settings for Internet Zone from "User
> > Authentication->Logon->Prompt for user name and password" to "User
> > Authentication->Logon->Automatic logon with current username and password"
> > seems to avoid the problem.
>
>Ok. Makes sense.
>
>What I think happens here is that your browser is going direct for the
>icons rather than using the proxy (same port, different concept). Then the
>authentication is technically to another server even if it happens to have
>the same ip:port as the proxy.

The problem is something different:

IE uses "Security Zones": by default in the Intranet Zone the automatic
NTLM authentication is enabled while in the Internet Zone is disabled.

IE 5.01 identify correctly that the proxy is in the Intranet Zone (I can
see the 407/200 sequence in access.log) and authenticate automatically
using ntlm for internal Squid objects.
IE 6 SP1 simply doesn't understand that the proxy is in the Intranet Zone,
and use the Internet Zone rules, (I can see 407 only) asking for
Authentication for internal squid objects.

>You should only see this popup once per session (or until the login
>expires from IE)

This happens for every object .....

> > acl internal_icons urlpath_regex [-i] \/squid-internal-static/icons/$
> > acl test proxy_auth REQUIRED
> >
> > http_access allow internal_icons
> > http_access allow test
> > http_access deny all
>
>This is generally to recommend in any authentication setups, assuming you
>have first limited access on source IP. Try using basic authentication
>only and you will see why..
>
> > I think that in squid this anomalous browser behaviour is not handled
> > correctly, causing the wrong NTLM challenge reuse.
>
>It is not an anomalous browser behaviour if my assumption above is
>correct. Nor should it be related to the issue with challenge reuses even
>if reuses are disabled..

Yes, but with IE 5.01 there are no problems as with Mozilla in ntlm mode,
so in IE 6 SP1 there is something of anomalous.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l.
Via Gorizia, 69 10136 - Torino - ITALY
Tel. : +39.011.3249426 Fax. : +39.011.3293665
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Sat Nov 22 2003 - 13:23:11 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:20:47 MST