Re: [squid-users] Repeated auth challenges, credentialsttl 8 hour

From: Jim Moseby <JMoseby_at_elasticfabrics.com>
Date: Thu, 27 Jan 2011 13:22:22 -0500

>>> On 1/27/2011 at 11:40 AM, in message <4D41A000.6010204_at_treenet.co.nz>, Amos
Jeffries <squid3_at_treenet.co.nz> wrote:
> On 28/01/11 04:26, Jim Moseby wrote:
>> Some of my users are getting repeated auth challenges, even though I
>> have "auth_param basic credentialsttl 8 hour" in squid.conf. What
>> triggers the auth challenge, and how can I configure so my users will
>> only be challenged once per 8 hour workday?
>>
>
> Triggers when the browser has no credentials stored to send to the
> proxy. Or if the credentials it sent were rejected by your ACLs.
>
> The common cause of ACLs triggering popups after good auth has been in
> use is group access checks on the end of a deny line. Place "all" at the
> end of such lines to prevent existing credentials being re-challenged.
>
> A less common cause if its just a few out of many users may be strange
> characters in their login or password. Or UTF binary coding being sent
> by their browser.
>
>
> The only way to prevent popups for all day with Basic is to keep the
> browser open at all times. Otherwise normally they can expect one
> initial popup when they open a new browser.
>
> Amos

Hi Amos,

Thanks for that quick and helpful reply.

I have verified that each 'deny' line has 'all' at the end.

The behavior I want is exactly as you describe. They should be challenged when they first open their browser, and not again until they close and reopen it, or 8 hours has passed.

I am also seeing challenges from other triggers. For instance, if they receive an email with an external reference (images, etc), or office applications (Excel, Word, etc) checking for updates. Since these are not really browser initiated, should they be causing their own challenges? Can I white list known update sites so that they do not cause auth challenges?

Thanks again for your help.

Jim

CONFIDENTIALITY NOTICE: This message is directed to and is for the use of the above-noted addressee only, and its contents may be legally privileged or confidential. If the reader of this message is not the intended recipient, you are hereby notified that any distribution, dissemination, or copy of this message is strictly prohibited. If you have received this message in error, please delete it immediately and notify the sender. This message is not intended to be an electronic signature nor to constitute an agreement of any kind under applicable law unless otherwise expressly indicated herein.
Received on Thu Jan 27 2011 - 18:22:56 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 28 2011 - 12:00:04 MST