Re: [squid-users] Windows Media Player 11 and authentication

From: <[email protected]>
Date: Fri, 05 Jan 2007 11:22:07 +0100

Quoting Henrik Nordstrom <henrik@henriknordstrom.net>:

> tor 2007-01-04 klockan 15:12 +0100 skrev apmailist@free.fr:
>
> Hmm.. worked quite fine for me when I last tested at a customer site,
> but you had to go quite deep into the media player preferences to make
> it use the proxy for the various streamed content..
>
example of a site casting a video that WMP cannot read :
http://www.vogue.co.uk/Video/player/
Do other people experience the same problem ?

>
> > There are 2 different requests made by the player, and one of the 2 forgets
> to
> > send a "Proxy-Authorization", and sends a "Proxy-Connection: Keep-Alive"
> > instead.
>
> Proxy-Connection isn't relevant. It should combine both..
>
> > And then the 2nd request is denied.
>
> As it should..
>
> > You notice Basic, written with an uppercase B . ( I reckon squid2.4 to be
> > case-sensitive, and squid2.5 not case-sensitive)
>
> I don't remember Squid-2.4 to be case sensitive about the scheme names,
> but I may be wrong (many many years ago..). The only case-sensitivity
> change I remember is that since Squid-2.5.something we default to handle
> basic auth user names in a case insensitive manner..
>
Back in 2003, case sensitivity on the authentication scheme names :
http://www.squid-cache.org/mail-archive/squid-users/200303/0347.html
But I don't think it's the matter here.

> What happens if you open the video directly from the Akamai CDN
> location?
>
Windows media player opens a popup for user and password, 2 times. There is a
strange "Domain" line on the popup window. The field is not the same on each
occurrence :
1/ "squid's realm"
2/ "proxy server's hostname"
And then WMP stays in a "Connecting to media " state.

Squid debugs logs show :
____________
BEFORE POPUP #1
____________
2007/01/04 17:12:12| parseHttpRequest: req_hdr = {Accept: */*
User-Agent: NSPlayer/11.0.5721.5145
Host: a1111.v173327.c17332.g.vm.akamaistream.net
X-Accept-Authentication: Negotiate, NTLM, Digest, Basic
Pragma: version11-enabled=1
Pragma:
no-cache,rate=1.000,stream-time=0,stream-offset=0:0,packet-num=4294967295,max-duration=0
Pragma: packet-pair-experiment=1
Pragma: pipeline-experiment=1
Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch,
com.microsoft.wm.predstrm, com.microsoft.wm.startupprofile
Pragma: xClientGUID={3300AD50-2C39-46c0-AE0A-4B039CC661E0}
Accept-Language: fr-FR, *;q=0.1

}
2007/01/04 17:12:12| parseHttpRequest: end = {}
2007/01/04 17:12:12| parseHttpRequest: prefix_sz = 727, req_line_sz = 159
2007/01/04 17:12:12| clientSetKeepaliveFlag: http_ver = 1.1
2007/01/04 17:12:12| clientSetKeepaliveFlag: method = GET
2007/01/04 17:12:12| The request GET
http://a1111.v173327.c17332.g.vm.akamaistream.net/7/1111/17332/A4893482/condenetuk.download.akamai.com/17332/Vogue/Shows/AW2006/mcqueen-high.wmv
is DENIED, because it matched 'AUTENT'
2007/01/04 17:12:12| clientBuildReplyHeader: Error, don't keep-alive
2007/01/04 17:12:12| clientSendMoreHeaderData: Appending 1838 bytes after 324
bytes of headers
2007/01/04 17:12:12| The reply for GET
http://a1111.v173327.c17332.g.vm.akamaistream.net/7/1111/17332/A4893482/condenetuk.download.akamai.com/17332/Vogue/Shows/AW2006/mcqueen-high.wmv
is ALLOWED, because it matched 'all'
2007/01/04 17:12:12| connStateFree: FD 24
2007/01/04 17:12:12| httpRequestFree:
http://a1111.v173327.c17332.g.vm.akamaistream.net/7/1111/17332/A4893482/condenetuk.download.akamai.com/17332/Vogue/Shows/AW2006/mcqueen-high.wmv

DENIED as expected because of lack of authentication

______________
AFTER POPUP #1
______________
2007/01/04 17:12:36| parseHttpRequest: req_hdr = {Accept: */*
User-Agent: NSPlayer/11.0.5721.5145
Host: a1111.v173327.c17332.g.vm.akamaistream.net
X-Accept-Authentication: Negotiate, NTLM, Digest, Basic
Pragma:
no-cache,rate=1.000,stream-time=0,stream-offset=0:0,packet-num=4294967295,max-duration=0
Pragma: packet-pair-experiment=1
Pragma: pipeline-experiment=1
Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch,
com.microsoft.wm.predstrm, com.microsoft.wm.startupprofile
Pragma: xClientGUID={3300AD50-2C39-46c0-AE0A-4B039CC661E0}
Proxy-Authorization: basic XXXXXXXXXXXXXXXXXX
Connection: Keep-Alive
Accept-Language: fr-FR, *;q=0.1

}
2007/01/04 17:12:36| parseHttpRequest: end = {}
2007/01/04 17:12:36| parseHttpRequest: prefix_sz = 771, req_line_sz = 159
2007/01/04 17:12:36| clientSetKeepaliveFlag: http_ver = 1.0
2007/01/04 17:12:36| clientSetKeepaliveFlag: method = GET
2007/01/04 17:12:36| The request GET
http://a1111.v173327.c17332.g.vm.akamaistream.net/7/1111/17332/A4893482/condenetuk.download.akamai.com/17332/Vogue/Shows/AW2006/mcqueen-high.wmv
is ALLOWED, because it matched 'groupe_internet'
2007/01/04 17:12:36| clientProcessRequest2: storeGet() MISS
2007/01/04 17:12:36| clientSendMoreHeaderData: Appending 8 bytes after 641 bytes
of headers
2007/01/04 17:12:36| The reply for GET
http://a1111.v173327.c17332.g.vm.akamaistream.net/7/1111/17332/A4893482/condenetuk.download.akamai.com/17332/Vogue/Shows/AW2006/mcqueen-high.wmv
is ALLOWED, because it matched 'all'
2007/01/04 17:12:36| connStateFree: FD 24
2007/01/04 17:12:36| httpRequestFree:
http://a1111.v173327.c17332.g.vm.akamaistream.net/7/1111/17332/A4893482/condenetuk.download.akamai.com/17332/Vogue/Shows/AW2006/mcqueen-high.wmv
2007/01/04 17:12:36| parseHttpRequest: req_hdr = {Accept: */*
User-Agent: NSPlayer/11.0.5721.5145 WMFSDK/11.0
Accept-Encoding: gzip, deflate
Host: a1111.v173327.c17332.g.vm.akamaistream.net
Proxy-Connection: Keep-Alive

}
2007/01/04 17:12:36| parseHttpRequest: end = {}
2007/01/04 17:12:36| parseHttpRequest: prefix_sz = 335, req_line_sz = 159
2007/01/04 17:12:36| clientSetKeepaliveFlag: http_ver = 1.1
2007/01/04 17:12:36| clientSetKeepaliveFlag: method = GET
2007/01/04 17:12:36| The request GET
http://a1111.v173327.c17332.g.vm.akamaistream.net/7/1111/17332/A4893482/condenetuk.download.akamai.com/17332/Vogue/Shows/AW2006/mcqueen-high.wmv
is DENIED, because it matched 'AUTENT'
2007/01/04 17:12:36| clientBuildReplyHeader: Error, don't keep-alive
2007/01/04 17:12:36| clientSendMoreHeaderData: Appending 1838 bytes after 324
bytes of headers
2007/01/04 17:12:36| The reply for GET
http://a1111.v173327.c17332.g.vm.akamaistream.net/7/1111/17332/A4893482/condenetuk.download.akamai.com/17332/Vogue/Shows/AW2006/mcqueen-high.wmv
is ALLOWED, because it matched 'all'
2007/01/04 17:12:36| connStateFree: FD 24
2007/01/04 17:12:36| httpRequestFree:
http://a1111.v173327.c17332.g.vm.akamaistream.net/7/1111/17332/A4893482/condenetuk.download.akamai.com/17332/Vogue/Shows/AW2006/mcqueen-high.wmv

1rst request ALLOWED as expected because of correct authentication
2nd request DENIED as expected because of lack of authentication : there should
be a Proxy-Authorization along with the Keep-Alive. Correct ? (see the
clientBuildReplyHeader: Error, don't keep-alive)

______________
AFTER POPUP #2
______________

Series of requests some ALLOWED , others DENIED,
http://xxx.wmv ALLOWED
http://xxx.wmv ALLOWED
http://xxx.wmv?MSWMExt=.asf DENIED
The pattern is quite difficult to determine. I put it in an attachment , if
someone has the courage to look into it. There are several different types of
requests.

In short , what is the bug ?
- Bad type of authentication :
  Is WMP doing NTLM, Digest, Basic ? How do I know ? With the popups ?
- WMP forgets to authenticate on certain requests -those with MSWMExt=.asf dor
example.

I checked the password : it is correct.

Thank You,

Andrew
Received on Fri Jan 05 2007 - 03:22:45 MST

This archive was generated by hypermail pre-2.1.9 : Thu Feb 01 2007 - 12:00:01 MST