RE: [squid-users] Squid30 + Exchange OWA 2010 forms based authentication problem

Amos

I corrected squid.conf as you suggested regex acl also works as planned now (many thanks)

Squid.conf:

##
visible_hostname OWAdomain
cache_mgr postmaster_at_OWAdomain
https_port 172.16.1.3:9070 accel vhost cert=/etc/ssl/crt/server-cert.crt key=/etc/ssl/key/server-key.key sslflags=DONT_VERIFY_DOMAIN clientca=/etc/ssl/CA/cacert.pem cafile=/etc/ssl/CA/cacert.pem capath=/etc/ssl/CA/ sslcontext=id
cache_peer 10.200.210.25 parent 9070 0 proxy-only no-query no-digest ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN login=PASS front-end-https=on
cache_dir ufs /var/squid/cache 100 16 256
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
logfile_rotate 100
pid_filename /var/squid/squid.pid
acl OWA dstdomain OWAdomain
acl OWA_DIRS urlpath_regex -i ^/(rpc|owa|oab|autodiscover|Microsoft-Server-ActiveSync|public|exchweb|exchange)($|/.*)
never_direct allow OWA
cache_peer_access 10.200.210.25 allow OWA
http_access allow OWA OWA_DIRS
http_access deny all
##

But I still have no clue on OWA form based authentication problem I’ve done some tests and here is what I have in the logs:

IIS log on OWA with Forms based authentication enabled connecting via SQUID (doesn’t work):

##
2011-10-04 17:30:39 10.200.210.25 POST /owa/auth.owa &ex=E002 9070 DOMAIN\User 10.200.210.3 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 400 0 0 156
##

10.200.210.3 = internal FreeBSD (squid) box interface

Relevant SQUID access.log:

##
1317749452.720 155 client_IP TCP_MISS/400 585 POST https://owadomain:9070/owa/auth.owa - FIRST_UP_PARENT/10.200.210.25 text/html
##

IIS log on OWA with Forms based authentication enabled connecting directly from LAN (works normally):

##
2011-10-04 17:48:17 10.200.210.25 POST /owa/auth.owa - 9070 DOMAIN\User 10.200.210.100 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+InfoPath.2) 302 0 0 46
2011-10-04 17:48:17 10.200.210.25 GET /owa/forms/premium/StartPage.aspx &Initial+Budget>>Conn:1,HangingConn:0,AD:18000/18000/0%,CAS:90000/90000/0%,AB:18000/18000/0%,RPC:90000/90000/0%,FC:1000/0,Policy:DefaultThrottlingPolicy_0f15bae1-d3e2-4413-af94-b449c0cfd7ae,Norm&mbx=OWA.domain.LAN&sessionId=8beafa9fb59c4656832510d0de6fadfd&prfltncy=105&prfrpccnt=45&prfrpcltncy=63&prfldpcnt=4&prfldpltncy=15&prfavlcnt=0&prfavlltncy=0&End+Budget>>Conn:1,HangingConn:0,AD:18000/17985/1%,CAS:90000/89922/1%,AB:18000/18000/0%,RPC:90000/89940/1%,FC:1000/0,Policy:DefaultThrottlingPolicy_0f15bae1-d3e2-4413-af94-b449c0cfd7ae,Norm[Resources:(Mdb)HQ(Health:-1%,HistLoad:0),(DC) DC-SRV04.domain.LAN(Health:-1%,HistLoad:0),];GC:1/1/0; 9070 DOMAIN\User 10.200.210.100
Etc..
##

IIS log on OWA with Plain Text authentication enabled connecting via squid (works normally):

##
2011-10-04 18:51:55 10.200.210.25 GET /owa - 9070 - 10.200.210.3 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 401 2 5 4843
2011-10-04 18:52:09 10.200.210.25 GET /owa - 9070 DOMAIN\User 10.200.210.3 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 301 0 0 140
2011-10-04 18:52:14 10.200.210.25 GET /owa/forms/premium/StartPage.aspx &Initial+Budget>>Conn:1,HangingConn:0,AD:18000/18000/0%,CAS:90000/90000/0%,AB:18000/18000/0%,RPC:90000/90000/0%,FC:1000/0,Policy:DefaultThrottlingPolicy_0f15bae1-d3e2-4413-af94-b449c0cfd7ae,Norm&mbx=OWA.domain.LAN&sessionId=027f8d52ea6f442b9d264c023d77385c&prfltncy=4728&prfrpccnt=84&prfrpcltncy=1218&prfldpcnt=30&prfldpltncy=79&prfavlcnt=0&prfavlltncy=0&End+Budget>>Conn:1,HangingConn:0,AD:18000/17985/1%,CAS:90000/87251/5%,AB:18000/18000/0%,RPC:90000/89459/1%,FC:1000/0,Policy:DefaultThrottlingPolicy_0f15bae1-d3e2-4413-af94-b449c0cfd7ae,Norm[Resources:(Mdb)HQ(Health:-1%,HistLoad:0),(DC)DC-SRV01.domain.LAN(Health:-1%,HistLoad:0),(DC)DC-SRV02.sub.domain.LAN(Health:-1%,HistLoad:0),(DC)DC-SRV03.domain.LAN(Health:-1%,HistLoad:0),];GC:2/0/0; 9070 DOMAIN\User 10.200.210.3 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 200 0 0 4765
2011-10-04 18:52:15 10.200.210.25 POST /owa/ev.owa oeh=1&ns=PendingRequest&ev=FinishNotificationRequest&Fn=1&UA=0&cpc=294872;C0:0;C1:0;C2:0;C3:0;C4:0;C5:0;C6:0;C7:0;C8:0;C9:0;C10:0&Initial+Budget>>Conn:1,HangingConn:0,AD:18000/17985/1%,CAS:90000/87251/5%,AB:18000/18000/0%,RPC:90000/89459/1%,FC:1000/0,Policy:DefaultThrottlingPolicy_0f15bae1-d3e2-4413-af94-b449c0cfd7ae,Norm&mbx=OWA.domain.LAN&sessionId=027f8d52ea6f442b9d264c023d77385c&prfltncy=66&prfrpccnt=0&prfrpcltncy=0&prfldpcnt=0&prfldpltncy=0&prfavlcnt=0&prfavlltncy=0&End+Budget>>Conn:1,HangingConn:0,AD:18000/17985/1%,CAS:90000/87205/5%,AB:18000/18000/0%,RPC:90000/89459/1%,FC:1000/0,Policy:DefaultThrottlingPolicy_0f15bae1-d3e2-4413-af94-b449c0cfd7ae,Norm 9070 DOMAIN\User 10.200.210.3 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 200 0 0 78
2011-10-04 18:52:15 10.200.210.25 POST /owa/ev.owa oeh=1&ns=ClientCache&ev=Get&Initial+Budget>>Conn:1,HangingConn:0,AD:18000/17985/1%,CAS:90000/87205/5%,AB:18000/18000/0%,RPC:90000/89459/1%,FC:1000/0,Policy:DefaultThrottlingPolicy_0f15bae1-d3e2-4413-af94-b449c0cfd7ae,Norm&mbx=OWA.domain.LAN&sessionId=027f8d52ea6f442b9d264c023d77385c&prfltncy=175&prfrpccnt=2&prfrpcltncy=0&prfldpcnt=11&prfldpltncy=31&prfavlcnt=0&prfavlltncy=0&End+Budget>>Conn:1,HangingConn:0,AD:18000/17985/1%,CAS:90000/87034/5%,AB:18000/18000/0%,RPC:90000/89459/1%,FC:1000/0,Policy:DefaultThrottlingPolicy_0f15bae1-d3e2-4413-af94-b449c0cfd7ae,Norm[Resources:(Mdb)HQ(Health:-1%,HistLoad:0),] 9070 DOMAIN\User 10.200.210.3 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 200 0 0 171
etc..
##

Relevant SQUID access.log:

##
1317754329.098 4845 client_IP TCP_MISS/401 1805 GET https://OWAdomain:9070/owa - FIRST_UP_PARENT/10.200.210.25 text/html
1317754343.454 139 client_IP TCP_MISS/301 688 GET https://OWAdomain:9070/owa - FIRST_UP_PARENT/10.200.210.25 text/html
1317754348.261 4753 client_IP TCP_MISS/200 28103 GET https://OWAdomain:9070/owa/ - FIRST_UP_PARENT/10.200.210.25 text/html
1317754349.458 81 client_IP TCP_MISS/200 711 POST https://OWAdomain:9070/owa/ev.owa? - FIRST_UP_PARENT/10.200.210.25 text/html
1317754350.010 180 client_IP TCP_MISS/200 1394 POST https://OWAdomain:9070/owa/ev.owa? - FIRST_UP_PARENT/10.200.210.25 application/x-javascript
1317754350.387 109 client_IP TCP_MISS/200 486 POST https://OWAdomain:9070/owa/ev.owa? - FIRST_UP_PARENT/10.200.210.25 -
1317754350.518 140 client_IP TCP_MISS/200 4658 GET https://OWAdomain:9070/owa/? - FIRST_UP_PARENT/10.200.210.25 text/html
1317754350.912 47 client_IP TCP_MISS/200 4856 GET https://OWAdomain:9070/owa/? - FIRST_UP_PARENT/10.200.210.25 text/html
1317754351.026 18 client_IP TCP_MISS/200 4696 GET https://OWAdomain:9070/owa/? - FIRST_UP_PARENT/10.200.210.25 text/html
1317754351.098 12 client_IP TCP_MISS/200 4375 GET https://OWAdomain:9070/owa/? - FIRST_UP_PARENT/10.200.210.25 text/html
1317754351.171 11 client_IP TCP_MISS/200 4692 GET https://OWAdomain:9070/owa/? - FIRST_UP_PARENT/10.200.210.25 text/html
1317754351.244 11 client_IP TCP_MISS/200 4788 GET https://OWAdomain:9070/owa/? - FIRST_UP_PARENT/10.200.210.25 text/html
1317754351.405 97 client_IP TCP_MISS/200 6595 GET https://OWAdomain:9070/owa/? - FIRST_UP_PARENT/10.200.210.25 text/html
1317754351.485 15 client_IP TCP_MISS/200 4161 GET https://OWAdomain:9070/owa/? - FIRST_UP_PARENT/10.200.210.25 text/html
1317754351.565 18 client_IP TCP_MISS/200 4542 GET https://OWAdomain:9070/owa/? - FIRST_UP_PARENT/10.200.210.25 text/html
1317754355.721 6208 client_IP TCP_MISS/200 1007 GET https://OWAdomain:9070/owa/ev.owa? - FIRST_UP_PARENT/10.200.210.25 text/html
1317754355.960 209 client_IP TCP_MISS/302 697 GET https://OWAdomain:9070/owa/logoff.owa - FIRST_UP_PARENT/10.200.210.25 text/html
1317754355.961 222 client_IP TCP_MISS/200 711 POST https://OWAdomain:9070/owa/ev.owa? - FIRST_UP_PARENT/10.200.210.25 text/html
1317754356.041 30 client_IP TCP_MISS/200 2661 GET https://OWAdomain:9070/owa/auth/logoff.aspx? - FIRST_UP_PARENT/10.200.210.25 text/html
##

I would not mind against plain text auth since it is done over ssl but the problem is that Safari browser on iPhones and iPads doesn’t keep login and pass data for such login interface and people complain they have to input it everytime.

Any suggestions greatly appreciated.

Sergey
Received on Tue Oct 04 2011 - 19:14:26 MDT