Re: [squid-users] Authenticaton failure with dotnet 2.0 app

From: Adrian Chadd <adrian@dont-contact.us>
Date: Wed, 13 Sep 2006 21:57:46 +0800

Squid-2.5 doesn't support the stuff required to properly proxy NTLM
authentication.

Here's the problem.

NTLM is a three-stage process - the first stage is the "fail, auth required, please
speak-y NTLM if you can." The client spits back some initial details.
The second stage is the "fail, auth required, here's your
challenge." The third stage is the successful bit but only stays
successful for that particular server connection.

Squid before squid-2.6 didn't "glue" server connections to client connections
if NTLM authentication occured. This meant that the client may get a different
server connection for each leg of the request (as the server has to support
persistent connections to even participate in NTLM) and thus never quite managing
to hold open an NTLM authenticated session.

Squid-2.6 fixes this. Please try upgrading to the latest Squid-2.6 and let us know
whether this fixes the problem or not.

Adrian

On Wed, Sep 13, 2006, Michael Davidson wrote:
> Hi,
> Has anyone had problems with Windows app's, using dotnet 2.0,
> authenticating against a Squid proxy.?
>
> We have a situation where a C# application, using .NET 1.1, which
> relays SMS's via the Internet, has been working successfully for many
> moons. Upon re-compling this app and running it with .Net 2.0 we find
> that the NTLMSSP authentication fails against our SQUID proxy server.
>
> Ethereal traces shows the usual initial situation where the app
> establishes a TCP session with the proxy and then sends a HTTP POST, the
> proxy responds with authentication required using NTLM and that TCP
> session is closed. The application initiates another session and in the
> HTTP POST, now includes the NTLM type 1 message. The proxy responds with
> the "challenge" however the app does not respond to this and stops with
> a 407 error.
>
> I'm more that ready to believe that this isn't a SQUID problem and
> indeed have logged a ticket with Microsoft. I was really hoping that
> someone on the list has a ready answer/suggestion for me.
>
> I have tested against a proxy made up of:
>
> System: 2.6.15-1.2054_FC5smp #1 SMP Tue Mar 14 16:05:46 EST 2006 i686
> i686 i386 GNU/Linux
>
> Squid Cache: Version 2.5.STABLE12
> configure options: --prefix=/etc/squid --bindir=/usr/bin
> --sbindir=/usr/sbin --libexecdir=/usr/sbin --datadir=/usr/lib/squid
> --sysconfdir=/etc/squid --localstatedir=/var/squid --libdir=/etc/squid
> --m andir=/usr/share/man --enable-cache-digests
> --enable-default-err-language=English --enable-err-languages=English
> --enable-auth=ntlm --enable-ntlm-auth-helpers=SMB
> --with-samba-sources=/root/samba-3.0.23b
>
> squid.conf snippet:
> <
> auth_param ntlm use_ntlm_negotiate on
> auth_param ntlm program /usr/bin/ntlm_auth -d 9 -l /root/ntlm.log
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 5
> >
> SAMBA/WinBind: samba-3.0.23b-1.
>
> The authentication backend is a Windows AD.
>
> Regards Mike D.
>
> --
>
>
Received on Wed Sep 13 2006 - 07:56:28 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Oct 01 2006 - 12:00:03 MDT