Hi,
I have upgraded our squid to version 3.1.19 but I am still seeing the
repeated popup box issue with non-domain member machines (windows machines).
Domain member machines authenticate perfectly via NTLM, but non-domain
member machines (Windows XP, Windows 7) pop up a password box three
times before accepting the credentials.
I have removed all the authentication directives _except_ the NTLM one
to simplify the troubleshooting.
If I asked Internet Explorer to save the credentials then the
authentication works fine and I get no further popup boxes. Chrome is
the same - as is Firefox, although interestingly Firefox will only
authenticate if the credentials have been stored. If they have not been
stored (using IE remember password) it plain refuses to authenticate at
all (no popup boxes or anything).
I am more than happy to work through this myself, but have exhausted all
my ideas. Could some one point me in the right direction?
Regards
Harry
On 05/04/2012 17:19, Harry Mills wrote:
> Hi,
>
> I have been trying to iron our a few issues we are having with NTLM
> authentication on our network for machines which are not domain members:
>
> Windows 2008R2 AD domain
> RHEL 6.1
> squid-3.1.10-1
> samba-3.5.6-86
> Internet Explorer 7,8
>
> We are in the process of moving to Kerberos authentication, and the test
> squid we have running is working well, however, when presented with the
> negotiate option for auth, IE will choose NTLM rather than basic when it
> is not a member of the domain.
>
> I have reduced the config for squid down to just offering NTLM
> authentication to help me debug an issue with pop up boxes. I have also
> written a wrapper around the ntlm_auth binary to strace the calls being
> made when it is being executed.
>
> NTLM authentication works without issue for domain members, however IE
> (and Chrome) will both popup an authentication required box three times
> before accepting the DOMAIN\Username and password.
>
> Checking the wrapper around ntlm_auth, the process is only called by
> squid after the last of the three authentication prompts is submitted by
> the browser. Squid issues the expected two 407s to the browser which
> appears to cause the browser to pop up the authentication window each
> time, and on the third submission authentication succeeds.
>
> The odd thing is, if I turn off keep-alive for ntlm in the squid.conf
> then I still see the 407s being issued by squid, but I only get a single
> authentication pop up from the browser, which when submitted with the
> correct credentials is immediately accepted and authentication succeeds.
>
> I am clearly missing something, because it states quite clearly that
> NTLM _requires_ keep alive sockets as it is a connection orientated
> mechanism, so perhaps my turning off keep-alive causes a basic-auth
> fallback within ntlm_auth?
>
> Is there a reason that IE presents 3 authentication boxes before
> accepting credentials from a non-domain machine. If there is a reason,
> is there a solution?
>
> One thought I have had is that the majority of non-domain members will
> be on a specific VLAN, and therefore have a specific IP subnet. Is it
> possible to offer a different range of authentication options to the
> clients based on a subnet acl, e.g. Kerb/NTLM for machines on
> domain-member VLANS and just basic for guests (non-domain members)?
>
> Regards,
>
> Harry
Received on Thu Apr 19 2012 - 12:01:15 MDT
This archive was generated by hypermail 2.2.0 : Fri Apr 20 2012 - 12:00:03 MDT