Re: [squid-users] NTLM issues *Pretty long*

From: Jan Heyelmann <[email protected]>
Date: Wed, 28 Jan 2004 19:26:22 +0100

Hello David,
do you experience the same problem when using IE 5.5 or IE 6 without
SP1? If not, you might want to look at MS KB 820780. Following is a
quote from that article.

<quote>
MORE INFORMATION
If the "401" response page content is smaller than 1460 bytes, Internet
Explorer closes the current connection and tries to re-use a previous
connection from the keep-alive pool for that server. Because ISA (or any
other proxy) has closed the related connection between ISA and the IIS
server, the re-use of the Internet Explorer connection does not work. As
a result, Internet Explorer produces an authentication prompt.

When the "401" response page is larger than 1460 bytes, Internet
Explorer must maintain the current connection so that it can drain the
socket of all pending data. This causes Internet Explorer to re-use this
socket for the later NTLM authentication traffic. As a result, the
connection works seamlessly.
</quote>

The number of popups was reduced when applying the MS hotfix, but the
problem was not entirely resolved. Maybe someone with more knowledge of
the ntlm communication could comment on the above quote. Could it be
that this is the reason why we get those authentication popups and is
there a way to get rid of this?

Jan

David Robinet wrote:
> Thanks, Henrik.
>
> I've literally pulled an all-nighter trying to get Squid up and running
> (I'd managed to figure that out - after several hours of looking at
> documentation, "Squid" and "Samba" began to look the same and I was
> reading "Squid" documentation).
>
> I've got authentication working for the most part. What I'm now
> experiencing is that it pops up the 3 box authentication prompt
> frequently, but not always. In other words, loading up www.yahoo.com
> might pop up the authentication box 4 times - it will load most graphics
> and maybe the top part of the HTML, for example, but it will ask for
> authentication over and over again.
>
> I've tried increasing the helper children to 15 (I was at 5), but that
> didn't seem to help.
>
> The log file looks like this (partial, with comments):
>
*snip*
Received on Wed Jan 28 2004 - 15:38:54 MST

This archive was generated by hypermail pre-2.1.9 : Sun Feb 01 2004 - 12:00:09 MST