[squid-users] ntlm_auth & Windows Update

From: Daniel Halbe <[email protected]>
Date: Tue, 11 Oct 2005 10:28:38 +0100 (IST)

Hello @all,

I have a problem concerning the combination of ntlm_auth & Windows
Update. My scenario:
Squid 2.5.9-10sarge2 on Debian Sarge authenticates the users against MS
Active Directory with ntlm_auth with this squid.conf:

########### squid.conf ###################
client_netmask 255.255.255.0
dns_nameservers XXX.YYY.172.3
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic credentialsttl 5 hours
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563      # https, snews
acl SSL_ports port 873          # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl QUERY urlpath_regex cgi-bin \?
acl purge method PURGE
acl CONNECT method CONNECT
acl NTLMUsers proxy_auth REQUIRED
acl winupdate dstdomain .microsoft.com .windowsupdate.com
acl ftp proto FTP
no_cache deny winupdate
http_access allow all NTLMUsers
http_access allow winupdate
always_direct allow ftp
always_direct allow winupdate
no_cache deny QUERY
http_access deny all
http_reply_access allow all
icp_access deny all
cache_mgr root
dns_testnames heise.de google.de denic.de internic.net
######################################

I set up the ntlm_auth with this HowTo:
http://mkeadle.org/index.php?p=13

Everything is working fine since today but now I have a problem using
Windows Update Webpage. Without ntlm_auth I can access the page and
retrieve the updates. When I enable ntlm_auth as shown in the squid.conf
the Windows Update page hangs while searching for updates :-(

In my opinion this is because of the ntlm_auth function:

######## acces.log #########
XXX.YYY.172.0 TCP_DENIED/407 1861 GET
http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html
XXX.YYY.172.0 TCP_DENIED/407 1865 GET
http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html
XXX.YYY.172.0 TCP_MISS/302 625 GET
http://www.microsoft.com/isapi/redir.dll? administrator
DIRECT/207.46.20.30 text/html
XXX.YYY.172.0 TCP_MISS/304 414 GET http://windowsupdate.microsoft.com/
administrator DIRECT/207.46.225.221 -
###########################

As you can see the proxy first says: Authentification required. Then the
client responds and sends an NTLM_AUTH challenge and the proxy permits
access. This works fine for every webpage but not for Windows Update :-(

Should I post the whole concerning stuff in access.log (~ 60 lines)?
Is there another way to transparently authentificate users against MS
Active Directory?
Perhaps this is the wrong place to ask and I should contact the
ntlm_auth developers - what do you think?

Greets from Germany,

Daniel Halbe
Received on Tue Oct 11 2005 - 03:28:44 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Nov 01 2005 - 12:00:04 MST