RE: [squid-users] Pb with Microsoft Integrated Login and Squid 3.1

Hi,

> I say "usually normal", because the client software should be aware of
> that requirement and send the auth for as many requests as needed in the > session.

Sniffing between Squid and clients shows that clients never send auth data within further requests in the session. Clients only send auth data just after receiving an "HTTP/1.1 401 Unauthorized" from the remote web server.

Jean-Marc Nogues

-----Message d'origine-----
De : NOGUES Jean-Marc (EURIWARE)
Envoyé : mardi 3 novembre 2009 10:36
À : 'Amos Jeffries'
Objet : RE: [squid-users] Pb with Microsoft Integrated Login and Squid 3.1

Hi Amos,

All clients have :
Windows XP SP2
and IE 6.0.2900.2180_xpsp_sp2_gdr.070227-2254 crypt=128 bits

At the bottom of the trace joined we can see an incoming "HTTP/1.1 401 Unauthorized"and then the rest of the upload previously initiated by the client.

( Sorry but, for security reasons I had to to extract a .txt
 file from the original Winshark trace.
- tell if you need more )
regards,

Jm Nogues

-----Message d'origine-----
De : Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Envoyé : mardi 3 novembre 2009 05:54
À : NOGUES Jean-Marc (EURIWARE)
Cc : squid-users_at_squid-cache.org
Objet : Re: [squid-users] Pb with Microsoft Integrated Login and Squid 3.1

NOGUES Jean-Marc (EURIWARE) wrote:
> Hi,
>
> I have upgraded our squid from 2.5 stable6 to 3.1.0.14 . This because
> many remote web servers want Microsoft connection oriented
> authentication and I 'have seen that squid 2.5 doesn't forward that
> kind of authentication. .
>
> Now using squid 3.1, my users can connect such web servers but there
> is still an issue..
>
> From time to time , when uploading a file , users get a blank page and
> message "Request not yet fully sent" can be seen in cache.log file.
>
> Sniffing this (sniffer between proxy and web servers) I can see that,
> from time to time, servers are going on sending authentication requests
> although the user has been already authenticated (is it a normal
> behaviour ?).

Yes this is _usually_ normal. HTTP being stateless the auth details
need to be sent on every request, or the client will be re-challenged.

I say "usually normal", because the client software should be aware of
that requirement and send the auth for as many requests as needed in the
session.

What is NOT normal here is seeing repeated series of missing-auth
requests followed by auth request from the same clients. This is a sign
of either client software breakage, NAT, or missing keep-alive data in
the requests. Persistent connections, aka keep-alive, is REQUIRED on
both the client and server connections for NTLM based auth along with
connection pinning to force stateless HTTP into stateful behavior
between the client and server.

>
> So sometimes it happens that Squid receives an authentication request as
> it is still sending upload data to the server.
> This stops the upload and produces the message seen in cache.log

Looks like you have hit a bug. Possibly the one people are struggling
with at present where a connections auth credentials are dropped
mid-session.

Can you supply any more detailed trace of whats going on please?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
   Current Beta Squid 3.1.0.14