Re: [squid-users] NTLM passthru authentication

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 09 Mar 2012 00:32:15 +1300

On 8/03/2012 8:18 p.m., kimi ge(巍俊葛) wrote:
> Hi,
>
> Can someone take a look at it the following issue which I ran into?
> Here is the details:
> Outline: squid 2.6 as the reverse-proxy for IIS (SharePoint) site.
> IIS uses the NTLM authentication.
>
> Regarding the squid document, squid 2.6+ or squid 3.1+ support
> NTLM passthru authentication by Connection Pinning.
>
> My problem is it always shows the 404 error code.
> No NTLM prompt window is shown.

404 means URL does not exist. Nothing to do with authentication at all.

There is something funky happening though.

>
> 16.178.121.18 my desktop IP
> 192.57.84.244 squid reverse proxy IP
> 16.173.232.237 IIS(SharePoint) site.
>
> Red Hat Enterprise Linux Server release 5.7 (Tikanga) (64bit)
> /usr/sbin/squid -v
> Squid Cache: Version 2.6.STABLE21
>
> The following packets are captured by tshark.

Hint: next time use "follow TCP stream" to obtain a human-readable trace
of the packets.

As you can clearly see the connections are persistent but there is no
NTLM involved below...

Client makes a request (no credentials at all)....
> 4 0.260075 16.178.121.18 -> 192.57.84.244 HTTP GET /SitePages/Square.aspx HT
> TP/1.1
>
> 0000 00 50 56 ac 00 c6 00 22 0c d5 bc 00 08 00 45 00 .PV...."......E.
> 0010 02 63 3a 5b 40 00 76 06 29 48 10 b2 79 12 c0 39 .c:[@.v.)H..y..9
> 0020 54 f4 fd 41 00 50 e8 0d e1 a6 eb ce 13 68 50 18 T..A.P.......hP.
> 0030 40 b0 01 21 00 00 47 45 54 20 2f 53 69 74 65 50 @..!..GET /SiteP
> 0040 61 67 65 73 2f 53 71 75 61 72 65 2e 61 73 70 78 ages/Square.aspx
> 0050 20 48 54 54 50 2f 31 2e 31 0d 0a 41 63 63 65 70 HTTP/1.1..Accep
> 0060 74 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 t: application/x
> 0070 2d 6d 73 2d 61 70 70 6c 69 63 61 74 69 6f 6e 2c -ms-application,
> 0080 20 69 6d 61 67 65 2f 6a 70 65 67 2c 20 61 70 70 image/jpeg, app
> 0090 6c 69 63 61 74 69 6f 6e 2f 78 61 6d 6c 2b 78 6d lication/xaml+xm
> 00a0 6c 2c 20 69 6d 61 67 65 2f 67 69 66 2c 20 69 6d l, image/gif, im
> 00b0 61 67 65 2f 70 6a 70 65 67 2c 20 61 70 70 6c 69 age/pjpeg, appli
> 00c0 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 78 62 61 70 cation/x-ms-xbap
> 00d0 2c 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 76 6e , application/vn
> 00e0 64 2e 6d 73 2d 65 78 63 65 6c 2c 20 61 70 70 6c d.ms-excel, appl
> 00f0 69 63 61 74 69 6f 6e 2f 76 6e 64 2e 6d 73 2d 70 ication/vnd.ms-p
> 0100 6f 77 65 72 70 6f 69 6e 74 2c 20 61 70 70 6c 69 owerpoint, appli
> 0110 63 61 74 69 6f 6e 2f 6d 73 77 6f 72 64 2c 20 2a cation/msword, *
> 0120 2f 2a 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67 75 /*..Accept-Langu
> 0130 61 67 65 3a 20 65 6e 2d 55 53 0d 0a 55 73 65 72 age: en-US..User
> 0140 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f -Agent: Mozilla/
> 0150 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 4.0 (compatible;
> 0160 20 4d 53 49 45 20 37 2e 30 3b 20 57 69 6e 64 6f MSIE 7.0; Windo
> 0170 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 36 34 ws NT 6.1; WOW64
> 0180 3b 20 54 72 69 64 65 6e 74 2f 34 2e 30 3b 20 53 ; Trident/4.0; S
> 0190 4c 43 43 32 3b 20 2e 4e 45 54 20 43 4c 52 20 32 LCC2; .NET CLR 2
> 01a0 2e 30 2e 35 30 37 32 37 3b 20 2e 4e 45 54 20 43 .0.50727; .NET C
> 01b0 4c 52 20 33 2e 35 2e 33 30 37 32 39 3b 20 2e 4e LR 3.5.30729; .N
> 01c0 45 54 20 43 4c 52 20 33 2e 30 2e 33 30 37 32 39 ET CLR 3.0.30729
> 01d0 3b 20 4d 65 64 69 61 20 43 65 6e 74 65 72 20 50 ; Media Center P
> 01e0 43 20 36 2e 30 3b 20 49 6e 66 6f 50 61 74 68 2e C 6.0; InfoPath.
> 01f0 32 3b 20 2e 4e 45 54 34 2e 30 43 3b 20 41 73 6b 2; .NET4.0C; Ask
> 0200 54 62 50 54 56 2f 35 2e 31 34 2e 31 2e 32 30 30 TbPTV/5.14.1.200
> 0210 30 37 29 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 07)..Accept-Enco
> 0220 64 69 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66 6c ding: gzip, defl
> 0230 61 74 65 0d 0a 48 6f 73 74 3a 20 75 6b 77 74 73 ate..Host: ukwts
> 0240 76 75 6c 78 33 38 30 2e 65 6c 61 62 73 2e 65 64 vulx380.elabs.ed
> 0250 73 2e 63 6f 6d 0d 0a 43 6f 6e 6e 65 63 74 69 6f s.com..Connectio
> 0260 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 0d n: Keep-Alive...
> 0270 0a .

I guess you configured cache_peer with the new login=PASSTHRU setting
from squid-3.2

Squid obediently attaches Basic authentication username "PASSTHRU" and
passes on the request ...

> 9 0.535519 192.57.84.244 -> 16.173.232.237 HTTP GET /SitePages/Square.aspx H
> TTP/1.0
>
> 0000 00 22 0c d5 bc 00 00 50 56 ac 00 c6 08 00 45 00 .".....PV.....E.
> 0010 03 1f 2b 09 40 00 40 06 fe 07 c0 39 54 f4 10 ad ..+.@.@....9T...
> 0020 e8 ed ab ef 00 50 85 f2 0a aa 8e d3 03 b1 80 18 .....P..........
> 0030 00 2e c2 8a 00 00 01 01 08 0a 79 b6 22 c6 0a 26 ..........y."..&
> 0040 cb c0 47 45 54 20 2f 53 69 74 65 50 61 67 65 73 ..GET /SitePages
> 0050 2f 53 71 75 61 72 65 2e 61 73 70 78 20 48 54 54 /Square.aspx HTT
> 0060 50 2f 31 2e 30 0d 0a 41 63 63 65 70 74 3a 20 61 P/1.0..Accept: a
> 0070 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d pplication/x-ms-
> 0080 61 70 70 6c 69 63 61 74 69 6f 6e 2c 20 69 6d 61 application, ima
> 0090 67 65 2f 6a 70 65 67 2c 20 61 70 70 6c 69 63 61 ge/jpeg, applica
> 00a0 74 69 6f 6e 2f 78 61 6d 6c 2b 78 6d 6c 2c 20 69 tion/xaml+xml, i
> 00b0 6d 61 67 65 2f 67 69 66 2c 20 69 6d 61 67 65 2f mage/gif, image/
> 00c0 70 6a 70 65 67 2c 20 61 70 70 6c 69 63 61 74 69 pjpeg, applicati
> 00d0 6f 6e 2f 78 2d 6d 73 2d 78 62 61 70 2c 20 61 70 on/x-ms-xbap, ap
> 00e0 70 6c 69 63 61 74 69 6f 6e 2f 76 6e 64 2e 6d 73 plication/vnd.ms
> 00f0 2d 65 78 63 65 6c 2c 20 61 70 70 6c 69 63 61 74 -excel, applicat
> 0100 69 6f 6e 2f 76 6e 64 2e 6d 73 2d 70 6f 77 65 72 ion/vnd.ms-power
> 0110 70 6f 69 6e 74 2c 20 61 70 70 6c 69 63 61 74 69 point, applicati
> 0120 6f 6e 2f 6d 73 77 6f 72 64 2c 20 2a 2f 2a 0d 0a on/msword, */*..
> 0130 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a Accept-Language:
> 0140 20 65 6e 2d 55 53 0d 0a 55 73 65 72 2d 41 67 65 en-US..User-Age
> 0150 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 nt: Mozilla/4.0
> 0160 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 (compatible; MSI
> 0170 45 20 37 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e E 7.0; Windows N
> 0180 54 20 36 2e 31 3b 20 57 4f 57 36 34 3b 20 54 72 T 6.1; WOW64; Tr
> 0190 69 64 65 6e 74 2f 34 2e 30 3b 20 53 4c 43 43 32 ident/4.0; SLCC2
> 01a0 3b 20 2e 4e 45 54 20 43 4c 52 20 32 2e 30 2e 35 ; .NET CLR 2.0.5
> 01b0 30 37 32 37 3b 20 2e 4e 45 54 20 43 4c 52 20 33 0727; .NET CLR 3
> 01c0 2e 35 2e 33 30 37 32 39 3b 20 2e 4e 45 54 20 43 .5.30729; .NET C
> 01d0 4c 52 20 33 2e 30 2e 33 30 37 32 39 3b 20 4d 65 LR 3.0.30729; Me
> 01e0 64 69 61 20 43 65 6e 74 65 72 20 50 43 20 36 2e dia Center PC 6.
> 01f0 30 3b 20 49 6e 66 6f 50 61 74 68 2e 32 3b 20 2e 0; InfoPath.2; .
> 0200 4e 45 54 34 2e 30 43 3b 20 41 73 6b 54 62 50 54 NET4.0C; AskTbPT
> 0210 56 2f 35 2e 31 34 2e 31 2e 32 30 30 30 37 29 0d V/5.14.1.20007).
> 0220 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 .Accept-Encoding
> 0230 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61 74 65 0d : gzip, deflate.
> 0240 0a 48 6f 73 74 3a 20 75 6b 77 74 73 76 75 6c 78 .Host: ukwtsvulx
> 0250 33 38 30 2e 65 6c 61 62 73 2e 65 64 73 2e 63 6f 380.elabs.eds.co
> 0260 6d 0d 0a 56 69 61 3a 20 31 2e 31 20 75 6b 77 74 m..Via: 1.1 ukwt
> 0270 73 76 75 6c 78 33 38 30 2e 65 6c 61 62 73 2e 65 svulx380.elabs.e
> 0280 64 73 2e 63 6f 6d 3a 38 30 20 28 73 71 75 69 64 ds.com:80 (squid
> 0290 2f 32 2e 36 2e 53 54 41 42 4c 45 32 31 29 0d 0a /2.6.STABLE21)..
> 02a0 58 2d 46 6f 72 77 61 72 64 65 64 2d 46 6f 72 3a X-Forwarded-For:
> 02b0 20 31 36 2e 31 37 38 2e 31 32 31 2e 31 38 0d 0a 16.178.121.18..
> 02c0 50 72 6f 78 79 2d 41 75 74 68 6f 72 69 7a 61 74 Proxy-Authorizat
> 02d0 69 6f 6e 3a 20 42 61 73 69 63 20 55 45 46 54 55 ion: Basic UEFTU
> 02e0 31 52 49 55 6c 55 3d 0d 0a 41 75 74 68 6f 72 69 1RIUlU=..Authori
> 02f0 7a 61 74 69 6f 6e 3a 20 42 61 73 69 63 20 55 45 zation: Basic UE
> 0300 46 54 55 31 52 49 55 6c 55 3d 0d 0a 43 61 63 68 FTU1RIUlU=..Cach
> 0310 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6d 61 78 2d 61 e-Control: max-a
> 0320 67 65 3d 32 35 39 32 30 30 0d 0a 0d 0a ge=259200....

... and the server produces 404. URL not found / does not exist before
closing the connection.

> 10 0.803484 16.173.232.237 -> 192.57.84.244 HTTP HTTP/1.1 404 Not Found (tex
> t/html)
>
> 0000 00 50 56 ac 00 c6 00 22 0c d5 bc 00 08 00 45 00 .PV...."......E.
> 0010 02 20 27 e3 40 00 76 06 cc 2c 10 ad e8 ed c0 39 . '.@.v..,.....9
> 0020 54 f4 00 50 ab ef 8e d3 03 b1 85 f2 0d 95 80 18 T..P............
> 0030 01 00 b8 93 00 00 01 01 08 0a 0a 26 cb db 79 b6 ...........&..y.
> 0040 22 c6 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e ".HTTP/1.1 404 N
> 0050 6f 74 20 46 6f 75 6e 64 0d 0a 43 6f 6e 74 65 6e ot Found..Conten
> 0060 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d t-Type: text/htm
> 0070 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 l; charset=us-as
> 0080 63 69 69 0d 0a 53 65 72 76 65 72 3a 20 4d 69 63 cii..Server: Mic
> 0090 72 6f 73 6f 66 74 2d 48 54 54 50 41 50 49 2f 32 rosoft-HTTPAPI/2
> 00a0 2e 30 0d 0a 44 61 74 65 3a 20 54 68 75 2c 20 30 .0..Date: Thu, 0
> 00b0 38 20 4d 61 72 20 32 30 31 32 20 30 37 3a 30 37 8 Mar 2012 07:07
> 00c0 3a 30 35 20 47 4d 54 0d 0a 43 6f 6e 6e 65 63 74 :05 GMT..Connect
> 00d0 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 43 6f 6e 74 ion: close..Cont
> 00e0 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 33 31 35 0d ent-Length: 315.
>

Amos
Received on Thu Mar 08 2012 - 11:34:12 MST

This archive was generated by hypermail 2.2.0 : Thu Mar 08 2012 - 12:00:02 MST