Re: [squid-users] RE: Diffence between NTLM in 2.6 compared to 3.3.5 - Citrix ? from Amos Jeffries on 2013-05-30 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 31 May 2013 14:44:07 +1200

On 31/05/2013 12:24 p.m., Kris Glynn wrote:
>> -----Original Message-----
>> From: Kris Glynn
>> Sent: Wednesday, 29 May 2013 1:07 PM
>> To: squid-users_at_squid-cache.org
>> Subject: Diffence between NTLM in 2.6 compared to 3.3.5 - Citrix ?
>>
>> I've noticed that since upgrading from Squid 2.6 to Squid 3.3.5 the Citrix ICA Client will no longer authenticate via NTLM to squid 3.3.5 - the ICA client just keeps popping up asking for NTLM auth - at no stage does it fallback to basic auth.
>>
>> Every other NTLM aware application whether it be IE, Firefox, Chrome and even curl works fine and can authenticate no problems via NTLM however the Citrix ICA client just won't work.
>>
>> If I change back to squid 2.6 it works fine. Both are using exactly the same squid.conf with...
>>
>> # Pure NTLM Auth - fallback
>> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 60 startup=15 idle=10 auth_param ntlm keep_alive off
>>
>> # BASIC Auth - fallback
>> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 10 auth_param basic realm Internet Access auth_param basic credentialsttl 1 hours
>>
>> Has anyone else experienced this?
> To answer my own question it was due to Citrix ICA Client (I'm using 13.4.0 - latest version) ignoring "Connection: keep-alive" headers in squid 3.3.x and starting new connection breaking the NTLM auth challenge.
>
> Squid 2.6.x sends "Proxy-Connection: keep-alive" with NTLM auth responses which is the only header the Citrix ICA Client appears to accept to maintain keepalive.
>
> What RFC can I point Citrix at so I can submit a bug with them to fix their client and accept both headers? Am I correct in saying that Squid 2.6 is a HTTP/1.0 proxy and 3.x are HTTP/1.1 proxies?

You can point them at RFC 2616...

in section 8.1.2 on how persistence is controlled:

"
    Persistent connections provide a mechanism by which a client and a
    server can signal the close of a TCP connection. This signaling takes
    place using the Connection header field (section 14.10).
"

in section 8.1.3 on what proxies are required to do:

"
    It is especially important that proxies correctly implement the
    properties of the Connection header field as specified in section
    14.10.
"

note this section 8.1.3 requirement means following a non-standard
Proxy-Connection and ignoring the mandatory Connection is a violation
and will cause problems when they differ.

Here is another good explanation of what is wrong with it:
http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/web-proxy-connection-header.html

There is a myth floating around that 2.6 etc do not obey Connection
properly. That is not entirely true. They only have problems when
Proxy-Connection is delivered and/or the Connection header is omitted
entirely. The newer squid have better handling, but to be conservative
sending it explicitly when contacting a proxy appears to be the best choice.

Amos
Received on Fri May 31 2013 - 02:44:17 MDT

This archive was generated by hypermail 2.2.0 : Fri May 31 2013 - 12:00:08 MDT