Re: Problem authenticating with Negotiate-NTLM from Markus Moeller on 2011-04-10 (squid-dev)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sun, 10 Apr 2011 15:00:21 +0100

Hi Amos,

Where is the 3.2 squid code will the Proxy-Authorization: line be added ?
I can see that the negotiate-wrapper correctly returns the TT and I see in
the logs:

2011/04/10 01:07:43.849 kid1| negotiate/negotiateUserRequest.cc(272)
HandleReply: helper: '0x84886f0' sent us 'TT
TlRMTVNTUAACAAAACQAJADAAAAAGgokAT7KQwRyCYyIAAAAAAAAAAHQAdAA5AAAAV0lOMjAwM1IyAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAAAAAA='
2011/04/10 01:07:43.849 kid1| cbdataReferenceValid: 0x84cb4d0
2011/04/10 01:07:43.849 kid1| negotiate/negotiateUserRequest.cc(325)
HandleReply: Need to challenge the client with a server blob
'TlRMTVNTUAACAAAACQAJADAAAAAGgokAT7KQwRyCYyIAAAAAAAAAAHQAdAA5AAAAV0lOMjAwM1IyAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAAAAAA='
2011/04/10 01:07:43.849 kid1| UserRequest.cc(80) valid: Validating
AuthUserRequest '0x871dc88'.
2011/04/10 01:07:43.849 kid1| UserRequest.cc(100) valid: Validated.
AuthUserRequest '0x871dc88'.
2011/04/10 01:07:43.849 kid1| ACLChecklist::asyncInProgress: 0x84cb4d0 async
set to 0
2011/04/10 01:07:43.849 kid1| cbdataReferenceValid: 0x84cb3e0
2011/04/10 01:07:43.849 kid1| cbdataReferenceValid: 0x8457df8
2011/04/10 01:07:43.849 kid1| ACLChecklist::preCheck: 0x84cb4d0 checking
'http_access allow authenticate'
2011/04/10 01:07:43.850 kid1| ACLList::matches: checking authenticate
2011/04/10 01:07:43.850 kid1| ACL::checklistMatches: checking 'authenticate'
2011/04/10 01:07:43.850 kid1| UserRequest.cc(80) valid: Validating
AuthUserRequest '0x871dc88'.
2011/04/10 01:07:43.850 kid1| UserRequest.cc(100) valid: Validated.
AuthUserRequest '0x871dc88'.
2011/04/10 01:07:43.850 kid1| negotiate/negotiateUserRequest.cc(56)
authenticated: user not fully authenticated.
2011/04/10 01:07:43.850 kid1| UserRequest.cc(345) authenticate: header
Negotiate TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=.
2011/04/10 01:07:43.850 kid1| UserRequest.cc(80) valid: Validating
AuthUserRequest '0x871dc88'.
2011/04/10 01:07:43.850 kid1| UserRequest.cc(100) valid: Validated.
AuthUserRequest '0x871dc88'.
2011/04/10 01:07:43.850 kid1| negotiate/negotiateUserRequest.cc(56)
authenticated: user not fully authenticated.
2011/04/10 01:07:43.850 kid1| negotiate/negotiateUserRequest.cc(201)
authenticate: need to challenge client
'TlRMTVNTUAACAAAACQAJADAAAAAGgokAT7KQwRyCYyIAAAAAAAAAAHQAdAA5AAAAV0lOMjAwM1IyAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAAAAAA='!

but the client never receives the Proxy-Authorization: line. I gets lost
somewhere in the squid code. It works for pure NTLM.

Thank you
Markus

"Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
news:inn1ro$qnh$2_at_dough.gmane.org...
>
> "Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
> news:im5hrq$vbr$1_at_dough.gmane.org...
>>I did some further tests and noticed the following:
>>
>> 1) IE with squid 3.0 works using my wrapper (See ie-nego-3.0.tgz)
>> 2) Polygraph with squid 3.0 fails for ntlm (either via negotiate-ntlm or
>> pure ntlm) ( See polygraph-4.3.1-3.0.tgz
>
> I can get 3.0 to work by adding Connection: Keep-Alive to Polygraphs
> client code.
>
>> 3) Polygraph with squid 3.2 works for ntlm but fails negotiate-ntlm (See
>> polygraph-4.3.1-3.2.tgz)
>>
>
> 3.2 need still further analysis
>
>>
>> Markus
>>
>>
>> "Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
>> news:im4v3n$374$1_at_dough.gmane.org...
>>> Hi,
>>>
>>> I try to use my negotiate-wrapper with auth_ntlm and squid-3.2 and see
>>> that the helper returns TT ... and squid logs
>>>
>>> 2011/03/20 13:08:19.544 kid1| negotiate/negotiateUserRequest.cc(201)
>>> authenticate: need to challenge client
>>> 'TlRMTVNTUAACAAAAEgASADAAAAAFgomivxsqHXpxr1kAAAAAAAAAAHQAdABCAAAAVwBJAE4AMgAwADAAMwBSADIAAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAAAAAA='!
>>>
>>> but in the wireshark log I don't see a proxy-authenticate header line to
>>> challenge the client. What could be the reason ?
>>>
>>> When I switch to Negotiate-Kerberos everything works.
>>>
>>> Attached are the config and log files.
>>>
>>> Markus
>>>
>>>
>>
>
> Markus
>
>
Received on Sun Apr 10 2011 - 14:00:46 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 11 2011 - 12:00:05 MDT