RE: [squid-users] Login Popups on Windows XP with squid_kerb_auth and external acl from Amos Jeffries on 2012-03-14 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 15 Mar 2012 12:37:17 +1300

On 15.03.2012 00:51, Игорь Потапов wrote:
> I've found failing component. It’s external_acl_type with the %LOGIN
> parameter. It starts some kind of authentification if it thinks user
> is not authenticated. And that procedure force IE on XP to open login
> window. I think theat procedure is different one than in
> squid_kerb_auth' ACL.
> How can I help to determine root cause if this issue?

To use authenticated details to check authorization one must first have
authenticated them successfully.

proxy_auth is a simple: test authenticated yes/no. It requires
credentials to be (1) known; at the point and time when the ACL is
tested.

external ACL with %LOGIN is a more complex: test authenticate AND test
authorized yes/no. %LOGIN requires user credentials to be (1) known, (2)
valid, (3) current; at the point and time when the external ACL is
tested.

If they are not meeting all three criteria, Squid will attempt to fetch
some which do meet the criteria.

We have had some troubles in the past (until very recently) with
external ACL identifying the current+valid parts of the criteria wrong.
As far as I know these are fixed now in 3.1.19. But you are of course
welcome to investigate and see if we missed some case that is affecting
IE8.

Amos

>
>> -----Original Message-----
>> From: Игорь Потапов
>>
>> Hi.
>> squid is 3.1.19 on FreeBSD 8.2 with MIT kerberos. squid_kerb_auth is
>> in use as the only
>> auth scheme. Have some external acl to check authorization in mysql
>> db. On machines
>> running XP SP2 with IE8 (enabled Windows Intergrated Auth) sometimes
>> authentication
>> windows popup. I think this is happening if some request is denied
>> by external auth
>> script. If I hit Cancel page loads further. On Windows 7 see no such
>> behavior.
>> Config is here http://pastebin.com/QyCiha8Q Here is external auth
>> script
>> http://pastebin.com/LiAmniSz I think IE8 on XP sometimes doesn't
>> send Authorization and
>> asks for it. Or falls back to NTLM. I've made some workarounds to
>> disable login windows
>> but on XP they appear.
>> Can I force IE8 on XP to use only negotiate/Kerberos?
Received on Wed Mar 14 2012 - 23:37:20 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 15 2012 - 12:00:02 MDT