Note the lack of a user-agent string. This is likely an app that cannot authenticate.
My standard for Auth Bypass is source IP, user-agent string and destination URL. Generally the source is preferred to be statically assigned otherwise you need to allow the entire dhcp pool or range. Because there is no user-agent you can drop the requirement or force it with some sort of negated logic (!any) On Apr 8, 2015 11:21 AM, "Samuel Anderson" <s...@idsdoc.com> wrote: > Hello all, > > > I'm having a problem where HTTP 1.1 connect requests do not authenticate > using NTLM. Browsing the internet works fine in all major browsers, I > mostly see this occurring in programs that are installed locally on a users > computer. Using wireshark I'm able to follow the TCP stream and I can see > that the server returns the error (407 Proxy Authentication Required). I am > able to work around this problem by explicitly bypassing a domain from > requiring authentication, however I really don't want to do that. Any ideas > would be appreciated very much. > > Thanks, > > > Below is the content summery of some of the network packets that I'm > working with along with my config file > > TCP Stream Content > > #################### > CONNECT batch.internetpostage.com:443 HTTP/1.1 > Host: batch.internetpostage.com > Proxy-Connection: Keep-Alive > > > HTTP/1.1 407 Proxy Authentication Required > Server: squid/3.3.8 > Mime-Version: 1.0 > Date: Tue, 07 Apr 2015 21:02:24 GMT > Content-Type: text/html > Content-Length: 3208 > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 > Proxy-Authenticate: Negotiate > Proxy-Authenticate: NTLM > X-Cache: MISS from squid2.****.local > X-Cache-Lookup: NONE from squid2.****.local:3128 > Via: 1.1 squid2.****.local (squid/3.3.8) > Connection: close > #################### > > CONFIG File > > #################### > > #Kerberos and NTLM authentication > > auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm > /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp > --domain=****.LOCAL --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d > -s GSS_C_NO_NAME > auth_param negotiate children 30 > auth_param negotiate keep_alive off > > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp --domain=**** > auth_param ntlm children 30 > auth_param ntlm keep_alive off > > # AD group membership lookup > > external_acl_type ldap_group ttl=60 children-startup=10 children-max=50 > children-idle=2 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b > "DC=****,DC=local" -D "CN=SQUID,OU=**** Service Accounts,DC=****,DC=local" > -w "****" -f "(&(objectclass=person) > (sAMAccountname=%v)(memberof=CN=%a,OU=PROXY,ou=ALL **** Groups,DC=**** > ,DC=local))" -h dc1.****.local,dc2.****.local,dc3.****.local,dc4.****.local > > # auth required > > acl auth proxy_auth REQUIRED > http_access deny !auth all > > #################### > > -- > Samuel Anderson | Information Technology Administrator | International > Document Services > > IDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607 > > > CONFIDENTIALITY NOTICE: > This e-mail and any attachments are confidential. If you are not an > intended recipient, please contact the sender to report the error and > delete all copies of this message from your system. Any unauthorized > review, use, disclosure or distribution is prohibited. > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users