Re: [squid-users] negotiate auth scheme confusing windows users

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 11 Jan 2011 20:13:12 +1300

On 11/01/11 08:16, Brian J. Murrell wrote:
> I have the following configured for authentication in my squid 3.1.1 server:
>
> auth_param negotiate program /usr/lib/squid3/squid_kerb_auth
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> auth_param basic program /usr/lib/squid3/pam_auth
> auth_param basic children 3
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> Which works just fine in my all-linux-and-firefox-and-chromium network.
>
> Every now and then though a Windows (7) user comes into the network and for
> whatever reason proxy authentication doesn't work on those nodes.
>
> My guess is that windows is trying to do Negotiate authentication but squid is
> not able to understand what it's sending. Am I close? Any solutions?
>

Try to upgrade to 3.1.10. 3.1.1 is outdated with several security
vulnerabilities now. You might also try 3.2 beta release and see if the
updated auth handling there is any better for you.

Either way check the logs and try to track down exactly whether and how
the auth is failing. Guesses are not good enough sorry.

In order for auth to fail completely with that config one or more of
these must be happening:
  * BOTH Negotiate and Basic protocols fail
  * or, the browser fails to try the available alternatives when one breaks
  * or, the browser continually sends the wrong credentials and gets
rejected

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4
Received on Tue Jan 11 2011 - 07:13:22 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 11 2011 - 12:00:04 MST