RE: [squid-users] NTLM Auth Problem.

From: Hal Douglas <[email protected]>
Date: Tue, 19 Oct 2004 10:55:57 +1100

Guys,

Thanks for your help with this. The Documentation I was using is supposed
to allow basic auth as a fallback if NTLM doesn't work. It turns out that
basic was taking over somehow, which is strange, but when I commented out
the basic auth section I'd setup (according to the docs) NTLM started
working. Which is strange, because I'd tried that in my last install.

Anyway, thanks for your help, NTLM auth is working now. Hope it still works
in the production system! ;)

L8r.

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: Monday, 18 October 2004 8:41 PM
To: Hal Douglas
Cc: 'Henrik Nordstrom'; squid-users@squid-cache.org
Subject: RE: [squid-users] NTLM Auth Problem.

On Mon, 18 Oct 2004, Hal Douglas wrote:

> 1098069200.802 1 10.0.1.8 TCP_DENIED/407 1747 GET
> http://www.google.com/ - NONE/- text/html [Accept: image/gif,
> image/x-xbitmap, image/jpeg, image/pjpeg,
> application/vnd.ms-powerpoint, application/vnd.ms-excel,
> application/msword, application/x-shockwave-flash,
> */*\r\nAccept-Language: en-au\r\nCookie:
> PREF=ID=17238ed846c9d38d:CR=1:TM=1096527005:LM=1096527005:S=kyLy_3fTUQ
> xpLp2g
> \r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;
> .NET CLR
> 1.1.4322)\r\nHost: www.google.com\r\nProxy-Connection: Keep-Alive\r\n]
> [HTTP/1.0 407 Proxy Authentication Required\r\nServer:
> squid/2.5.STABLE6\r\nMime-Version: 1.0\r\nDate: Mon, 18 Oct 2004
> 03:13:20
> GMT\r\nContent-Type: text/html\r\nContent-Length: 1320\r\nExpires:
> Mon, 18 Oct 2004 03:13:20 GMT\r\nX-Squid-Error:
> ERR_CACHE_ACCESS_DENIED
> 0\r\nProxy-Authenticate: Basic realm="Pandora Squid Test Proxy blah
> blah
> blah"\r\nProxy-Authenticate: NTLM\r\n\r]

Did you get only this 407, or additional ones? NTLM uses 3 requests (minimum
2) per new TCP connection to the proxy to authenticate, and all three is
needed..

The expected sequence is

1. A simple 407 like the one above, indicating Squid accepts both Basic and
NTLM authentication.

2. A 407 where the browser sent a blob of information in Proxy-Authorize:
NLMT ... and Squid responds with a similar blob.

4. A 200 where the browser sent another blob of information (the actual user
credentials step) in it's Proxy-Authorize: NTLM header.

Regards
Henrik
Received on Mon Oct 18 2004 - 17:56:43 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:02 MST