RE: [squid-users] NTLM + Squid - No NTLM Header being sent

From: Mike Poublon <mpoublon@dont-contact.us>
Date: Thu, 3 May 2007 15:42:55 -0400

I just tried using the same config, but commenting out the auth_param
basic lines.
Instead of being asked for a password this time, I only get to a cache
access denied page. An ethereal snoop of the http response from squid
shows the following

HTTP/1.0 407 Proxy Authentication Required
Server: squid/2.5.STABLE12
Mime-Version: 1.0
Date: Thu, 03 May 2007 18:53:16 GMT
Content-Type: text/html
Content-Length: 1322
Expires: Thu, 03 May 2007 18:53:16 GMT
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
X-Cache: MISS from proxy.domain.local
X-Cache-Lookup: NONE from proxy.domain.local:3128
Proxy-Connection: close

Notice that there aren't any
Proxy-Authenticate: ...
lines that tell IE what kind of authentication to attempt to use even
though the only authentication type is NTLM

-Mike

-----Original Message-----
From: movits@bloomberg.com [mailto:movits@bloomberg.com]
Sent: Thursday, May 03, 2007 2:45 PM
To: Mike Poublon
Subject: Re: [squid-users] NTLM + Squid - No NTLM Header being sent

On Thursday 03 May 2007 12:09 pm, Mike Poublon wrote:
> Whenever I try to access a page (using IE6 - should support NTLM),
> I get a dialog box asking for my username and password - which if
> provided authenticates me and I can browse the site.

I'm pretty sure that what you did was use *basic* auth and validate
the creds using NTLM. That's not the same thing as NTLM auth!

See:
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 10
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours

All those basic auth_params are what's happening (and it's working
because the basic auth program is /usr/bin/ntlm_auth).

Mordy

-- 
Mordy Ovits
Network Security
Bloomberg L.P.
Received on Thu May 03 2007 - 13:43:30 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:04 MDT