Hi,
On Tue, 25 Aug 2009, Truth Seeker wrote:
> I have squid-3.0.STABLE13-1.el5 on CentOS 5.3 which is authenticating with 2003 AD (kerb + winbind) and have different acls (group based) in place.
>
> The problem is, java is not working for our users. Previously they all were using ISA, and java was working for them.
>
> in the following site;
>
> http://www.dailyfx.com/ 3rd coloumn in the right side shows the "Live currency rates" which is working with java. This is a must in our environment...
>
> Awaiting your response...
We have a similar setup on one VLAN, with squid on linux authenticating
users using active directory. We've seen lots of issues with Java not
being able to authenticate.
Testing the page you're talking about (albeit with a linux desktop), I get
a java popup window asking me for my AD username/password/domain, I type it
in but repeatedly it fails.
The squid access.log says:
1251204847.837 0 172.16.1.3 TCP_DENIED/407 1846 CONNECT balancer.netdania.com:443 - NONE/- text/html
1251204847.842 0 172.16.1.3 TCP_DENIED/407 1846 CONNECT balancer.netdania.com:443 - NONE/- text/html
I'm not sure if these lines in cache.log are relevant or not.
[2009/08/25 13:42:00, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
got NTLMSSP command 3, expected 1
[2009/08/25 13:42:00, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
got NTLMSSP command 3, expected 1
[2009/08/25 13:42:01, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
got NTLMSSP command 3, expected 1
[2009/08/25 13:42:01, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
got NTLMSSP command 3, expected 1
[2009/08/25 13:47:02, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
got NTLMSSP command 3, expected 1
My usual workaround is to add an ACL for that site which is far from ideal.
I've added the following ACL:
acl dailyfx dstdomain balancer.netdania.com
http_access allow dailyfx CONNECT
That works around the issue for me. I still get prompted for the username
and password and the logs suggest some traffic isn't getting through.
1251205769.600 14385 172.16.1.3 TCP_MISS/000 7263 CONNECT balancer.netdania.com:443 - FIRST_UP_PARENT/172.20.2.3 - 1251205771.233 1 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html
1251205771.239 3 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html
1251205771.516 277 172.16.1.3 TCP_MISS/200 1443 GET http://balancer.netdania.com/StreamingServer/StreamingServer? gavinmc FIRST_UP_PARENT/172.20.2.3 application/zip
1251205774.813 55 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html
1251205774.816 0 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html
1251205776.537 1721 172.16.1.3 TCP_MISS/200 1125 GET http://balancer.netdania.com/StreamingServer/StreamingServer? gavinmc FIRST_UP_PARENT/172.20.2.3 application/zip
1251205779.681 1 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html
1251205779.685 1 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html
If I drop the word CONNECT I get no errors at all, but that disables
authentication entirely for that site.
There is definitely some issue with austhentication and Java. I'm not sure
if it might actually be Authentication+Java+SSL. Our problems are
generally with java-driven online banking applications.
Gavin
Received on Tue Aug 25 2009 - 13:17:44 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 25 2009 - 12:00:03 MDT