Re: [squid-users] Re : [squid-users] NTLM auth and ContentLength = 0

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 11 Aug 2011 21:22:25 +1200

On 11/08/11 20:55, Christian Gregoire wrote:
>
>
>> Check cache.log for any mentions of problems. Perhapse enable debugging
>> with -d on the helper to see if there is an issue with the validation.
>
>
> Thanks for the tip. Indeed, I've run squid with the -X flag and got a pretty
> clear error for that request, while everything's fine for the others :
>
> [...]
> 2011/08/10 18:22:54.040| authenticateNTLMHandleReply: helper: '0x1d3ccc08' sent
> us 'AF expinet.colissimo'
> 2011/08/10 18:22:54.040| authenticateNTLMHandleReply: Successfully validated
> user via NTLM. Username 'expinet.colissimo'
> 2011/08/10 18:22:54.845| authenticateNTLMHandleReply: helper: '0x1d3ccc08' sent
> us 'TT
> TlRMTVNTUAACAAAADAAMADAAAAAFgomiVcvIuzNYgBwAAAAAAAAAAHYAdgA8AAAAUABJAEMASABPAE4AAgAMAFAASQBDAEgATwBOAAEAEgBGAFcALQBNAEEAUwBUAEUAUgAEABgAcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAwAsAGYAdwAtAG0AYQBzAHQAZQByAC4AcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAAAAAA=='
>
> 2011/08/10 18:22:54.845| authenticateNTLMHandleReply: Need to challenge the
> client with a server blob
> 'TlRMTVNTUAACAAAADAAMADAAAAAFgomiVcvIuzNYgBwAAAAAAAAAAHYAdgA8AAAAUABJAEMASABPAE4AAgAMAFAASQBDAEgATwBOAAEAEgBGAFcALQBNAEEAUwBUAEUAUgAEABgAcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAwAsAGYAdwAtAG0AYQBzAHQAZQByAC4AcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAAAAAA=='
>
> 2011/08/10 18:22:54.854| authenticateNTLMHandleReply: helper: '0x1d3ccc08' sent
> us 'AF expinet.colissimo'
> 2011/08/10 18:22:54.855| authenticateNTLMHandleReply: Successfully validated
> user via NTLM. Username 'expinet.colissimo'
> 2011/08/10 18:22:57.166| authenticateNTLMHandleReply: helper: '0x1d3ccc08' sent
> us 'TT
> TlRMTVNTUAACAAAADAAMADAAAAAFgomiBYi9jX1PfFAAAAAAAAAAAHYAdgA8AAAAUABJAEMASABPAE4AAgAMAFAASQBDAEgATwBOAAEAEgBGAFcALQBNAEEAUwBUAEUAUgAEABgAcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAwAsAGYAdwAtAG0AYQBzAHQAZQByAC4AcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAAAAAA=='
>
> 2011/08/10 18:22:57.166| authenticateNTLMHandleReply: Need to challenge the
> client with a server blob
> 'TlRMTVNTUAACAAAADAAMADAAAAAFgomiBYi9jX1PfFAAAAAAAAAAAHYAdgA8AAAAUABJAEMASABPAE4AAgAMAFAASQBDAEgATwBOAAEAEgBGAFcALQBNAEEAUwBUAEUAUgAEABgAcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAwAsAGYAdwAtAG0AYQBzAHQAZQByAC4AcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAAAAAA=='
>
> 2011/08/10 18:22:57.176| authenticateNTLMHandleReply: helper: '0x1d3ccc08' sent
> us 'AF expinet.colissimo'
> 2011/08/10 18:22:57.176| authenticateNTLMHandleReply: Successfully validated
> user via NTLM. Username 'expinet.colissimo'
> 2011/08/10 18:22:58.629| authenticateNTLMHandleReply: helper: '0x1d3ccc08' sent
> us 'TT
> TlRMTVNTUAACAAAADAAMADAAAAAFgomi/vpkDjFtgzcAAAAAAAAAAHYAdgA8AAAAUABJAEMASABPAE4AAgAMAFAASQBDAEgATwBOAAEAEgBGAFcALQBNAEEAUwBUAEUAUgAEABgAcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAwAsAGYAdwAtAG0AYQBzAHQAZQByAC4AcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAAAAAA=='
>
> 2011/08/10 18:22:58.629| authenticateNTLMHandleReply: Need to challenge the
> client with a server blob
> 'TlRMTVNTUAACAAAADAAMADAAAAAFgomi/vpkDjFtgzcAAAAAAAAAAHYAdgA8AAAAUABJAEMASABPAE4AAgAMAFAASQBDAEgATwBOAAEAEgBGAFcALQBNAEEAUwBUAEUAUgAEABgAcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAwAsAGYAdwAtAG0AYQBzAHQAZQByAC4AcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAAAAAA=='
>
> 2011/08/10 18:22:58.639| authenticateNTLMHandleReply: helper: '0x1d3ccc08' sent
> us 'NA NT_STATUS_NO_SUCH_USER'
> 2011/08/10 18:22:58.639| authenticateNTLMHandleReply: Failed validating user via
> NTLM. Error returned 'NT_STATUS_NO_SUCH_USER'
>
> The challenge might be wrongly generated by the client, though it'd be weird
> given the previous ones are correct. Or, if it's still related to the POST data
> length being zero, just to clear things up, do you know if it's (the POST data)
> used by the challenge generation algorithm?

POST data should be irrelevant. The helper is only working with an
failing to validate the Proxy-Authenticate header contents.

The trace you have above is Squids view of things. You need to send -d
to the helper itself (if available) to get the helpers view of whats
going on inside there.

>> What application is this? there are two bugs in those headers that need
>> reporting. Not related to your NTLM problems though.
>
>
> It's a Windows software, I don't know which client HTTP library is used.

Darn. Oh well.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.14
   Beta testers wanted for 3.2.0.10
Received on Thu Aug 11 2011 - 09:22:38 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 12 2011 - 12:00:01 MDT