Re: [squid-users] NTLM authentica​tion to external sites using Windows 7

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 19 Nov 2011 13:28:28 +1300

On 19/11/2011 8:53 a.m., Øyvind Haddal wrote:
> Amos,
>
> I am having this issue on all sites with this type of authentication
> (Windows security popup box), it's not specifically related to one
> site.

Well, I'm sad to have to say this but be prepared for it never to work.
This is a problem caused in one way or another by NTLM violating the
HTTP standards and assuming things about the network that are simply not
true once you go from a highly controlled MS-centric LAN to the
Internet, (simple assumptions like TCP connections are always packets
from the same user, which is not even true in LAN).

That you had it working for XP is a good sign that it might be able to
be hacked up for Windows7.

>
> Have tested with Wireshark when accessing one of our Sharepoint sites
> with both Windows XP and 7, here's how the communication goes;
>
> Step 1. HTTP/1,1 401 Access denied
> Step 2. GET http://sharepointURL/ HTTP/1.1 , NTLMSSP_NEGOTIATE
> Step 3. HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE
> Step 4. GET http://sharepointURL/ HTTP/1.1 , NTLMSSP_AUTH, User:
> hqdomain\myusername
>
> On Windows XP through Squid, and both Windows XP and 7 directly to
> Bluecoat, Step 5 will give; GET http://sharepointURL/default.aspx
> HTTP/1.1 after it's performed a 301 redirect to default.aspx
>
> On Windows 7 through Squid, I get; HTTP/1.0 401 Unauthorized, which
> then prompts for re-authentication.
>
> I'm not seeing any difference in Step 1-4, but I'm fairly new to this
> and am unsure what I should be looking for, I may be missing
> something.

 From that the only difference is HTTP/1.0 vs HTTP/1.1.

The browser deciding to prompt instead of finish sending the credentials
is an indication that it cannot support the NTLM version. Or the server
is requesting credentials for a domain which the browser does not have
any credentials for. Or the server has closed the TCP connection (NTLM
assumes that is the same as credentials failing), in HTTP connections
may close at any time for any number of reasons completely unrelated to
credentials.

Amos
Received on Sat Nov 19 2011 - 00:28:38 MST

This archive was generated by hypermail 2.2.0 : Sat Nov 19 2011 - 12:00:03 MST