RE: [squid-users] Authentication to Sharepoint not happening from Saurabh Agarwal on 2011-02-01 (squid-users)

From: Saurabh Agarwal <Saurabh.Agarwal_at_citrix.com>
Date: Tue, 1 Feb 2011 17:13:24 +0530

Looks like we are making progress. Yeah there is a condition in the code client_side.c that relates to when "WWW-Authenticate" header is being deleted. Condition checks for no_connection_auth flag in the request.

This is the code. It checks if there is no_connection_auth in incoming request then that header is being deleted. I think it relates to pinning connections as you said earlier.

                if (request->flags.no_connection_auth) {
            httpHeaderDelAt(hdr, pos);
            connection_auth_blocked = 1;
            continue;
            }

But in Squid-2.7.Stable7 there is support only for specifying no-connection-auth in http_port directive. In Squid 3.1 we can turn it on|off using connection-auth=[on|off].

How to not set the no_connection_auth flag in Squid-2.7.Stable.7?

Regards,
Saurabh

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Tuesday, February 01, 2011 4:39 PM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] Authentication to Sharepoint not happening

On 01/02/11 23:57, Saurabh Agarwal wrote:
> Thanks Amos. Yeah they were cut and paste errors. Other than that I have tried using http11 with http_port and ignore_expect and it still doesn't work.
>
> I think this is by design in Squid. Following code in "client_side.c" suggests that it will always filter the "WWW-Authenticate" header from HTTP Headers by treating it as unproxyable auth type.
>
> /* Filter unproxyable authentication types */
> if (http->log_type != LOG_TCP_DENIED&&
> (httpHeaderHas(hdr, HDR_WWW_AUTHENTICATE))) {
> HttpHeaderPos pos = HttpHeaderInitPos;
> ....
> ....
> ...code here removes the "WWW-Authenticate" from HTTP Header.

There should be some conditions skipping removal on "must_keepalive" or
"proxy_keepalive" flags in there.

I would expect pinning to be in effect at this point. If not that is a
problem someone might find worth fixing one day. For Negotiate auth type
at minimum.

>
> Also the following link "http://www.visolve.com/squid/Squid_tutorial.php#Authentication_" suggests that Proxy Auth can't work in transparent mode.
>
> Can you please comment on this?

Yes "Proxy-Authenticate:" will not work in transparent mode. There is no
reason why "WWW-Authenticate:" with the origin cannot.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4

Received on Tue Feb 01 2011 - 11:43:34 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 12:00:04 MST