Re: [squid-users] Pb with Microsoft Integrated Login and Squid 3.1

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 05 Nov 2009 17:27:05 +1300

NOGUES Jean-Marc (EURIWARE) wrote:
> Hi,
>
>> I say "usually normal", because the client software should be aware of
>> that requirement and send the auth for as many requests as needed in the > session.
>
> Sniffing between Squid and clients shows that clients never send auth data within further requests in the session.

Strange. Smells like broken client software.

> Clients only send auth data just after receiving an "HTTP/1.1 401
Unauthorized" from the remote web server.
>

What you should be seeing is series of patterns like this:

CLIENT: request
WEB: 401 auth-missing
CLIENT: request+auth+keepalive
WEB: 200 Okay
CLIENT: request+auth+keepalive
WEB: 200 Okay
CLIENT: request+auth+keepalive
WEB: 200 Okay
CLIENT: request+auth+close
WEB: 200 Okay

... some time later (after browser closed and restarted for second session).

CLIENT: request
WEB: 401 auth-missing
CLIENT: request+auth+keepalive
WEB: 200 Okay
CLIENT: request+auth+close
WEB: 200 Okay

Amos

>
> -----Message d'origine-----
> De : NOGUES Jean-Marc (EURIWARE)
> Envoyé : mardi 3 novembre 2009 10:36
> À : 'Amos Jeffries'
> Objet : RE: [squid-users] Pb with Microsoft Integrated Login and Squid 3.1
>
> Hi Amos,
>
> All clients have :
> Windows XP SP2
> and IE 6.0.2900.2180_xpsp_sp2_gdr.070227-2254 crypt=128 bits
>
> At the bottom of the trace joined we can see an incoming "HTTP/1.1 401 Unauthorized"and then the rest of the upload previously initiated by the client.
>
> ( Sorry but, for security reasons I had to to extract a .txt
> file from the original Winshark trace.
> - tell if you need more )
> regards,
>
> Jm Nogues
>
>
>
> -----Message d'origine-----
> De : Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Envoyé : mardi 3 novembre 2009 05:54
> À : NOGUES Jean-Marc (EURIWARE)
> Cc : squid-users_at_squid-cache.org
> Objet : Re: [squid-users] Pb with Microsoft Integrated Login and Squid 3.1
>
> NOGUES Jean-Marc (EURIWARE) wrote:
>> Hi,
>>
>> I have upgraded our squid from 2.5 stable6 to 3.1.0.14 . This because
>> many remote web servers want Microsoft connection oriented
>> authentication and I 'have seen that squid 2.5 doesn't forward that
>> kind of authentication. .
>>
>> Now using squid 3.1, my users can connect such web servers but there
>> is still an issue..
>>
>> From time to time , when uploading a file , users get a blank page and
>> message "Request not yet fully sent" can be seen in cache.log file.
>>
>> Sniffing this (sniffer between proxy and web servers) I can see that,
>> from time to time, servers are going on sending authentication requests
>> although the user has been already authenticated (is it a normal
>> behaviour ?).
>
> Yes this is _usually_ normal. HTTP being stateless the auth details
> need to be sent on every request, or the client will be re-challenged.
>
> I say "usually normal", because the client software should be aware of
> that requirement and send the auth for as many requests as needed in the
> session.
>
> What is NOT normal here is seeing repeated series of missing-auth
> requests followed by auth request from the same clients. This is a sign
> of either client software breakage, NAT, or missing keep-alive data in
> the requests. Persistent connections, aka keep-alive, is REQUIRED on
> both the client and server connections for NTLM based auth along with
> connection pinning to force stateless HTTP into stateful behavior
> between the client and server.
>
>> So sometimes it happens that Squid receives an authentication request as
>> it is still sending upload data to the server.
>> This stops the upload and produces the message seen in cache.log
>
> Looks like you have hit a bug. Possibly the one people are struggling
> with at present where a connections auth credentials are dropped
> mid-session.
>
> Can you supply any more detailed trace of whats going on please?
>
> Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
   Current Beta Squid 3.1.0.14
Received on Thu Nov 05 2009 - 04:27:28 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 05 2009 - 12:00:03 MST