On Wed, 15 Jun 2011 08:48:31 +1200, Mike Bordignon (GMI) wrote:
> On 14/06/2011 6:32 p.m., Amos Jeffries wrote:
>> Not another one. Good luck.
>>
>> If you have any influence or contact with the devs of that app
>> please help educate them of the safety issues involved with sending
>> users internal machine logins out over the global Internet. And HTTPS
>> is no longer a guarantee of protection.
>>
>>
>
> I do have access to the devs, but access won't be over the Internet -
> it'll be over a LAN. No problem there.
>
>>> replies with a WWW-Authenticate header. Squid doesn't appear to be
>>> passing through the Authentication headers to the browser.
>>
>> Indicating that Squid has detected the TCP links involved do not
>> support that type of auth.
>
> I've since used Wireshark and it appears I am receiving
> WWW-Authenticate headers. Somewhat confused now.
Welcome to the party.
Could be the security levels don't match between the WebApp server and
the workstation. NTLM has a layering system where the server advertises
its preferred security level, and the workstation agrees or does not
respond. There are five levels, some of which indicate willingness to
accept lower security, some restrict only to that level or higher.
This has the best explain I've seen so far. Though it does not mention
where Negotiate/Kerberos fits into the layers.
http://technet.microsoft.com/en-us/magazine/2006.08.securitywatch.aspx
>
>>
>> pipeline_prefetch is one feature which NTLM auth will break. Make
>> sure that is turned OFF manually.
>>
>> HTTP/1.0 persistent connections is another. Make sure
>> client_persistent_connections is turned ON manually in 3.1 series.
>> Make sure that server_persistent_connections is REMOVED from your
>> config in 3.1 series, and manually turned ON in 3.0 and earlier.
>>
>>
>> After that its cross fingers and hope. If you find anything strange
>> still going on, please mention it.
>>
>> When you encounter a problem the first thing asked will be to verify
>> it on the latest release. It speeds up the fix a bit if that is where
>> its found.
>
> Thanks, I will keep that in mind. I've made the other config changes
> you suggest but still I get prompted for a password by my browser, I
> enter the correct password and again I get the prompt (via Firefox).
> IE is working, however?!
Which indicates the credentials are fine as is the proxy part of the
transaction. Firefox appears not have security access to the OS properly
to do the background stuff required. 2/3 of NTLM and related protocols
is done in background actions.
Amos
Received on Tue Jun 14 2011 - 22:39:06 MDT
This archive was generated by hypermail 2.2.0 : Wed Jun 15 2011 - 12:00:03 MDT