RE: [squid-users] OWA accelerator authentication weirdness

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 15 Jan 2009 09:40:52 +1300 (NZDT)

>> > That's terrific that it works, but I'm not sure I understand why.
>> Does "connection-auth=off" disable pass-through of NTLM? My
>> understanding of the Activesync devices is that they require NTLM.
>> >
>>
>> Yes it disables pass-thru for NTLM.
>>
>> Which for you blocks that first NTLM challenge (direct from the OWA?),
>> and leaves the second (from your Squid auth_* setup?) to go through.
>>
>> Amos
>
> But I have all of my auth_* commented out.
>
> Before adding "connection-auth=off" to my https_port config, Firefox would
> give me two authentication prompts. First: "Enter user name and password
> for ...", which would not work. Then only after I hit CANCEL, I would get
> "A user name and password are being requested by ...", which does work.
>
> With "connection-auth=off" or with "Windows integrated authentication"
> disabled on the OWA server, Firefox would give me only the 2nd dialog, and
> it works. But Activesync devices don't work "Windows integrated" disabled.
>
> With "Basic authentication" and "Windows integrated authentication"
> enabled on the OWA server and "connection-auth=off", everything works like
> it should.
>
> It's so confusing.

Yes. Multiple authentication methods, triggered from multiple sources,
going via multiple paths can be confusing.

Squid auth_param elided, which leaves:

"A user name and password are being requested by ..."
    == basic challenge by ISA.

"Enter user name and password for ..."
    == integrated/NTLM challenge by ISA.

I'm now thinking we have two distinct configurations for Squid:

Basic Auth (only) passed back
  cache_peer ... login=PASS connection-auth=off

NTLM Auth (only) passed back:
  cache_peer ... connection-auth=on

Which appear to be non-compatible auth methods at present.
What happens if you re-enable the connection-auth on https_port and remove
the login=PASS from cache_peer?

Amos

>
> Alan
>
> --------------------------------------------------------------------------
> Please note our new email and website address!
> Alan Lehman, PE
> Associate
> mailto:alehman_at_gbateam.com
> creating remarkable solutions
> for a higher quality of life
> http://www.gbateam.com
> 9801 Renner Boulevard
> Lenexa, KS 66219-9745
> 913.577.8829 direct
> 816.210.8785 mobile
> 913.577.8264 fax
>
> CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any,
> is intended for the person or entity to which it is addressed and may
> contain confidential and/or privileged material. Any unauthorized review,
> use, disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all
> copies of the original message. Thank you
>
>
Received on Wed Jan 14 2009 - 20:41:00 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 16 2009 - 12:00:03 MST