I ran some additional tests with ntlm_auth

ntlm_auth --username    works
ntlm_auth --helper-protocol=squid-2.5-ntlmssp

yields BH SPNEGO request invalid prefix

Thanks,

Keith


-----Original Message-----
From: Amos Jeffries [mailto:squ...@treenet.co.nz]
Sent: Monday, October 26, 2015 4:24 PM
To: Keith White <keith.wh...@emdmillipore.com>; 
squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid/NTLM Auth

On 24/10/2015 1:44 a.m., Keith White wrote:
> I changed around the DNS servers and still no luck.  This also popped
> up in the log
>
> Acl.cc(70) AuthenticateAcl: returning 2 sending credentials to helper.
> 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked:
> AuthorizedUsers = -1 async
> 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked:
> http_access#3 = -1 async
> 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked:
> http_access = -1 async
> 2015/10/23 05:41:35.259 kid1| ERROR: NTLM Authentication validating
> user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL
> NT_STATUS_UNSUCCESSFUL; }}
> 2015/10/23 05:41:35.260 kid1| 29,5| UserRequest.cc(73) valid: Validated. 
> Auth::UserRequest '0x12c1f10'.
>

IIRC that BH response happens when the helper gets a type-3 token without 
having been part of the handshake dance that led up to it. The helpers are 
stateful and the same one needs to be part of the whole handshake.

That can happen if the connection is closed for some reasons after the
type-2 token is sent, and the client is brokenly continuing on a new connection 
(Firefox is known to do that, others might too).

The connection is allowed to close after the initial 407 challenge. Some 
clients are broken and require that to happen - which is where the "auth_param 
ntlm keep_alive off" setting helps.

But not once the type-2 token is sent on the second 407. Squid should be 
enforcing a persistent TCP connection from then onwards.

The nextstep is to look at either the HTTP messages or the TCP packet level to 
find out what (if anything) is closing the connection between the type-2 and 
type-3 token messages thats probably your problem.

Amos



This message and any attachment are confidential and may be privileged or 
otherwise protected from disclosure. If you are not the intended recipient, you 
must not copy this message or attachment or disclose the contents to any other 
person. If you have received this transmission in error, please notify the 
sender immediately and delete the message and any attachment from your system. 
Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept 
liability for any omissions or errors in this message which may arise as a 
result of E-Mail-transmission or for damages resulting from any unauthorized 
changes of the content of this message and any attachment thereto. Merck KGaA, 
Darmstadt, Germany and any of its subsidiaries do not guarantee that this 
message is free of viruses and does not accept liability for any damages caused 
by any virus transmitted therewith.



Click http://www.merckgroup.com/disclaimer to access the German, French, 
Spanish and Portuguese versions of this disclaimer.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to