Re: [squid-users] WWW-Authenticate header

From: Michael Hendrie <michael_at_hendrie.id.au>
Date: Wed, 15 Jun 2011 13:10:34 +0930

On 15/06/2011, at 8:09 AM, Amos Jeffries wrote:

> On Wed, 15 Jun 2011 08:48:31 +1200, Mike Bordignon (GMI) wrote:
>> On 14/06/2011 6:32 p.m., Amos Jeffries wrote:
>>> Not another one. Good luck.
>>>
>>> If you have any influence or contact with the devs of that app please help educate them of the safety issues involved with sending users internal machine logins out over the global Internet. And HTTPS is no longer a guarantee of protection.
>>>
>>>
>>
>> I do have access to the devs, but access won't be over the Internet -
>> it'll be over a LAN. No problem there.
>>
>>>> replies with a WWW-Authenticate header. Squid doesn't appear to be
>>>> passing through the Authentication headers to the browser.
>>>
>>> Indicating that Squid has detected the TCP links involved do not support that type of auth.
>>
>> I've since used Wireshark and it appears I am receiving
>> WWW-Authenticate headers. Somewhat confused now.
>
> Welcome to the party.
>
>
> Could be the security levels don't match between the WebApp server and the workstation. NTLM has a layering system where the server advertises its preferred security level, and the workstation agrees or does not respond. There are five levels, some of which indicate willingness to accept lower security, some restrict only to that level or higher.
>
> This has the best explain I've seen so far. Though it does not mention where Negotiate/Kerberos fits into the layers.
> http://technet.microsoft.com/en-us/magazine/2006.08.securitywatch.aspx
>
>
>>
>>>
>>> pipeline_prefetch is one feature which NTLM auth will break. Make sure that is turned OFF manually.
>>>
>>> HTTP/1.0 persistent connections is another. Make sure client_persistent_connections is turned ON manually in 3.1 series. Make sure that server_persistent_connections is REMOVED from your config in 3.1 series, and manually turned ON in 3.0 and earlier.
>>>
>>>
>>> After that its cross fingers and hope. If you find anything strange still going on, please mention it.
>>>
>>> When you encounter a problem the first thing asked will be to verify it on the latest release. It speeds up the fix a bit if that is where its found.
>>
>> Thanks, I will keep that in mind. I've made the other config changes
>> you suggest but still I get prompted for a password by my browser, I
>> enter the correct password and again I get the prompt (via Firefox).
>> IE is working, however?!
>
> Which indicates the credentials are fine as is the proxy part of the transaction. Firefox appears not have security access to the OS properly to do the background stuff required. 2/3 of NTLM and related protocols is done in background actions.

If it's working in IE then its probably one of Firefox's NTLM settings. If you enter "about:config" in the address bar of FF and then filter for "ntlm" you will see what options are available.

More than likely be the "network.automatic-ntlm-auth.trusted-uris;" option needs the address of the app server listed.

>
> Amos

Received on Wed Jun 15 2011 - 03:40:43 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 15 2011 - 12:00:03 MDT