Re: [squid-users] NTLM accelerator authentication weirdness

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 18 Jan 2009 14:00:36 +1300

cc'ing David W. who appears to have the same issue on 2.7 with similar
but different pass-thru code.

Alan Lehman wrote:
>> Yes. Multiple authentication methods, triggered from multiple sources,
>
>> going via multiple paths can be confusing.
>>
>> Squid auth_param elided, which leaves:
>>
>> "A user name and password are being requested by ..."
>> == basic challenge by ISA.
>>
>> "Enter user name and password for ..."
>> == integrated/NTLM challenge by ISA.
>>
>>
>> I'm now thinking we have two distinct configurations for Squid:
>>
>> Basic Auth (only) passed back
>> cache_peer ... login=PASS connection-auth=off
>>
>> NTLM Auth (only) passed back:
>> cache_peer ... connection-auth=on
>>
>>
>> Which appear to be non-compatible auth methods at present.
>> What happens if you re-enable the connection-auth on https_port and
>> remove the login=PASS from cache_peer?
>>
>> Amos
>>
>
> OWA is back to the previous double login with Firefox. Activesync PDA
> won't accept login.

Oh dear. Well if its not working individually or combined, I'm stumped.
At least we have one method that works for Alan. (Dean it turned out to
be turning connection-auth=off on the port).

But having to turn it off is not good. I've opened a bug report to track
this. http://www.squid-cache.org/bugs/show_bug.cgi?id=2572

Is there any possibility of getting a full trace of the headers to/from
Squid from both the Client and the Server facing links when NTLM is
being attempted?
If so that would be useful info for the bug, so someone with a bit more
knowledge and time than me can track down what needs to be fixed.

Along with:
  * build configuration options (squid -v output)
  * full (comment free) configuration settings
  * cache.log trace at level ALL,9 for the request duration.

PS. If either of you has the inclination to wade through that data and
guess at what the problem is it would be a great help too.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
   Current Beta Squid 3.1.0.3
Received on Sun Jan 18 2009 - 01:00:41 MST

This archive was generated by hypermail 2.2.0 : Sat Jan 24 2009 - 12:00:02 MST