Re: [squid-users] SquidNT: Strange Internet explorer authentication popup - I'm forced to recreate user profile

From: Richard Greaney <[email protected]>
Date: Sat, 21 Oct 2006 08:29:24 +1300

Reale Marco wrote:
> I'm using squid nt 2.6 stable 4 on windows 2003 server from 1 year (in
> active directory environment) with ntlm auth and it works very well
> (stable, fast, and no big problems)
>
> My configuration file is (I report only interesting section):
>
> ---------------Squid config----------------
>
> auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
>
> external_acl_type NT_global_group %LOGIN
> c:/squid/libexec/mswin_check_lm_group.exe -G -c
>
> acl DomainUsers external NT_global_group "c:/squid/etc/DomainUsers.txt"
> acl Proxy_Messengers_yes external NT_global_group Proxy_Messengers_yes
> acl Proxy_Internet_Ts external NT_global_group Proxy_Internet_Ts
> acl Proxy_All_Open external NT_global_group Proxy_All_Open
> acl Proxy_ftp_porn_block_yes external NT_global_group
> Proxy_ftp_porn_block_yes
>
>
> acl porn dstdomain "c:/squid/block/pornblock.txt"
> acl ftpblock url_regex -i \.exe$ \.mp3$ \.asx$ \.avi$ \.mpeg$ \.qt$
> \.ram$ \.rm$ \.iso$ \.wav$ \.aif$ .\wma$ .\wmv$
> ..........
>
>
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
> # Deny requests to unknown ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
> #
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> http_access deny Proxy_Internet_Ts !trustedsites
> http_access allow enabled
> http_access deny porn !Proxy_All_Open
> deny_info ERR_PORN_ACCESS_DENIED porn
> http_access deny bad_word_content_type !Proxy_ftp_porn_block_yes
> !Proxy_All_Open
> deny_info ERR_PORN_ACCESS_DENIED bad_word_content_type
> http_access deny msnmessenger !Proxy_Messengers_yes !Proxy_All_Open
> http_access deny msnweb !Proxy_Messengers_yes !Proxy_All_Open
> http_access deny msnit !Proxy_Messengers_yes !Proxy_All_Open
> http_access deny BadDest !Proxy_Messengers_yes !Proxy_All_Open
> http_access deny rs_deny !rs_allowed
> http_access deny ftpblock !Proxy_ftp_porn_block_yes !Proxy_All_Open
> http_access allow autorizzati DomainUsers
>
> ---------------Squid config end----------------
>
>
> PROBLEM DESCRIPTION:
> As already told squid works well but sometimes (10 pc in last 2 months)
> happens that on a pc internet explorer continuosly require credentials
> (user/password pop-up). If the same user logs on others pc the problem
> isn't present.
> I think should be an internet explorer (or windows bug) that
> unexpectedly stops to work correctly with ntlm authentication and squid.
> IMPORTANT: all users have outlook 2003 and exchange 2003 and it works
> correctely thus the problem cannot be related to Active directory;
> others applications that require kerberos or ntlm authentication
> (netlogon, kix, web applications) work correctely also.
> Thus...the problem is related to the user profile in fact if I recreate
> it, the problem disappears
> Can someone give me a suggestion? Is there a way to force internet
> explorer clear cached credentials (or something similar...) and avoid to
> recreate user's profile?
>
> Thanks
> Marco
>
>

This sounds undoubtedly like a browser problem rather than a problem
with squid. There's a setting in IE that should fix it though. I'm not
sure of your profile configuration, restriction-wise, but go to Tools ->
Internet Options -> Advanced -> Security -> Enable Integrated Windows
Authentication (requires restart). That should enable ntlm. You might
find it's just been dropped on some problematic profiles.

Hope this helps
Richard
Received on Fri Oct 20 2006 - 13:29:33 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Nov 01 2006 - 12:00:04 MST