RE: [squid-users] NTLM Authentication from Chemolli Francesco (USI) on 2001-09-05 (squid-users)

From: Chemolli Francesco (USI) <ChemolliF@dont-contact.us>
Date: Wed, 5 Sep 2001 11:50:05 +0200

> I've compiled the latest squid.2.5(DEV) - 3 August, and i've a little
> problem with the automatic authentication...

We're still working on it :)

> We have 2 major domains in our network, more than 1000 users
> in each major
> domain, we have others domains,
> but the users in these smaller domains authenticate
> themselves manually
> (with basic authentication - msnt_auth).
> The problem is with the two major domains, let's call them
> ABCDOMAIN and
> XPTODOMAIN...

Are the domains in a trust relationship with each other?
Because at any given moment you're only talking with one domain controller,
which must relay the authentication request to the home domain.
The NTLM helpers will not choose the domain controller to use.
If "load-balancing" (the -b switch) is not enabled, all auth programs
will talk to the first DC supplied until it fails (i see you have enabled
failover-mode).

> I'v tried the following combinations in param_ntlm:
>
> auth_param ntlm program /usr/local/squid/libexec/squid/ntlm_auth -f
> ABCDOMAIN/PDC XPTODOMAIN/PDC
> This option seems to work for all the users of this two
> domains, but in some
> pages appears the USER/PASSWORD/DOMAIN window and the page
> automatically
> continues loading... In access.log i've got a lot of DENIEDs...

First off, the lots of denied. It's intentional. You'll get
2 407's for each TCP connection a client estabilishes to the proxy.
Yeah, it sucks. Yeah, it's by design. Blame Microsoft.

About the users getting denied: it's a problem with the DC's
failing between challenge generation and authentication. Yes, it sucks.
It's DC's fault.

There are two possible workarounds:
1) do _not_ reuse challenges.
(max_challenge_reuses parameter).
This way you reduce to a minimum the window of opportunity for the problem
to occur.
2) use the --enable-helper-fail-open configure switch and the '-l'
NTLMSSP helper parameter.
This will cause certain kinds of domain controller failures as "conditional
success",
thus hiding and reducing the problem.

> I would like to have automatic autenthication for this two
> domains in the
> same proxy-server.
> How should i configure ntlm_auth in squid.conf ???

See above.

-- 
	/kinkie

Received on Wed Sep 05 2001 - 03:41:06 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:03 MST