Re: [squid-users] NTLM authentica​tion to external sites using Windows 7

From: Øyvind Haddal <oyvind.haddal_at_gmail.com>
Date: Fri, 18 Nov 2011 20:53:32 +0100

Amos,

I am having this issue on all sites with this type of authentication
(Windows security popup box), it's not specifically related to one
site.

Have tested with Wireshark when accessing one of our Sharepoint sites
with both Windows XP and 7, here's how the communication goes;

Step 1. HTTP/1,1 401 Access denied
Step 2. GET http://sharepointURL/ HTTP/1.1 , NTLMSSP_NEGOTIATE
Step 3. HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE
Step 4. GET http://sharepointURL/ HTTP/1.1 , NTLMSSP_AUTH, User:
hqdomain\myusername

On Windows XP through Squid, and both Windows XP and 7 directly to
Bluecoat, Step 5 will give; GET http://sharepointURL/default.aspx
HTTP/1.1 after it's performed a 301 redirect to default.aspx

On Windows 7 through Squid, I get; HTTP/1.0 401 Unauthorized, which
then prompts for re-authentication.

I'm not seeing any difference in Step 1-4, but I'm fairly new to this
and am unsure what I should be looking for, I may be missing
something.

Øyvind

On Fri, Nov 18, 2011 at 3:32 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 19/11/2011 2:03 a.m., Øyvind Haddal wrote:
>>
>> I am in the process of evaluating and testing a Squid configuration in
>> my environment, I have everything working the way I want except for
>> one thing; NTLM authentication with Windows 7 clients to a site in
>> another domain
>>
>> Squid proxy is configured with multiple Bluecoat proxy servers as
>> parents, which handles all the user authentication using LDAP.
>> However, I also have a requirement that users sometimes log on a site
>> located in a different domain, using personal Windows credentials for
>> that domain. This works without any problem with Windows XP clients,
>> but Windows 7 clients just keep getting the login prompt and are
>> unable to log in.
>>
>> I've configured the GPO for NTLMv1 on my domain, as suggested by other
>> threads, but this did not make any difference. All other threads I
>> have found are for issues where you want to use NTLM for Squid
>> authentication, which is not what I am trying to do.
>
> Avoid NTLMv1.  XP and later all support NTLMv2 and there is no difference
> between NTLM versions to Squid.
>
> The squid config you show is not doing anything except passing credentials
> untouched to the peers.
>
>> Hoping someone can assist or at least point me in the right direction
>> to solve this.
>
> Grab a copy of the HTTP headers in the request and replies to that website.
> Likely it is offering Negotiate support and the Windows 7 machines are
> trying to use it.
>
> Alternatively it could actually be requiring any one of a number of obsolete
> Microsoft protocols or encryption methods which all get called "NTLM" and
> have been dropped from Windows 7.
>
>
> Amos
>
>
Received on Fri Nov 18 2011 - 19:53:41 MST

This archive was generated by hypermail 2.2.0 : Sat Nov 19 2011 - 12:00:03 MST