RE: [squid-users] NTLM accelerator authentication weirdness from Alan Lehman on 2009-01-24 (squid-users)

From: Alan Lehman <alehman_at_gbateam.com>
Date: Sat, 24 Jan 2009 11:40:42 -0600

> cc'ing David W. who appears to have the same issue on 2.7 with similar
> but different pass-thru code.
>
> Alan Lehman wrote:
> >> Yes. Multiple authentication methods, triggered from multiple
> sources,
> >
> >> going via multiple paths can be confusing.
> >>
> >> Squid auth_param elided, which leaves:
> >>
> >> "A user name and password are being requested by ..."
> >> == basic challenge by ISA.
> >>
> >> "Enter user name and password for ..."
> >> == integrated/NTLM challenge by ISA.
> >>
> >>
> >> I'm now thinking we have two distinct configurations for Squid:
> >>
> >> Basic Auth (only) passed back
> >> cache_peer ... login=PASS connection-auth=off
> >>
> >> NTLM Auth (only) passed back:
> >> cache_peer ... connection-auth=on
> >>
> >>
> >> Which appear to be non-compatible auth methods at present.
> >> What happens if you re-enable the connection-auth on https_port and
> >> remove the login=PASS from cache_peer?
> >>
> >> Amos
> >>
> >
> > OWA is back to the previous double login with Firefox. Activesync
PDA
> > won't accept login.
>
> Oh dear. Well if its not working individually or combined, I'm
stumped.
> At least we have one method that works for Alan. (Dean it turned out
to
> be turning connection-auth=off on the port).
>
> But having to turn it off is not good. I've opened a bug report to
> track
> this. http://www.squid-cache.org/bugs/show_bug.cgi?id=2572
>
> Is there any possibility of getting a full trace of the headers
to/from
> Squid from both the Client and the Server facing links when NTLM is
> being attempted?
> If so that would be useful info for the bug, so someone with a bit
more
> knowledge and time than me can track down what needs to be fixed.
>
> Along with:
> * build configuration options (squid -v output)
> * full (comment free) configuration settings
> * cache.log trace at level ALL,9 for the request duration.
>
>
> PS. If either of you has the inclination to wade through that data and
> guess at what the problem is it would be a great help too.
>
> Amos

I'll try to run the traces you requested them and post them to bugzilla.
I should clarify that with connection-auth=off I am still getting the
basic authentication challenge. In all cases I am intending to
authenticate against the upstream OWA server. Sorry I'm so slow getting
back.
Alan
Received on Sat Jan 24 2009 - 17:40:53 MST

This archive was generated by hypermail 2.2.0 : Sat Jan 24 2009 - 12:00:03 MST