Re: Problem authenticating with Negotiate-NTLM

Sun, 10 Apr 2011 07:00:47 -0700 

Hi Amos,
Where is the 3.2 squid code will the Proxy-Authorization: line be added ? I can see that the negotiate-wrapper correctly returns the TT and I see in the logs: 


2011/04/10 01:07:43.849 kid1| negotiate/negotiateUserRequest.cc(272) 
HandleReply: helper: '0x84886f0' sent us 'TT 
TlRMTVNTUAACAAAACQAJADAAAAAGgokAT7KQwRyCYyIAAAAAAAAAAHQAdAA5AAAAV0lOMjAwM1IyAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAAAAAA='

2011/04/10 01:07:43.849 kid1| cbdataReferenceValid: 0x84cb4d0

2011/04/10 01:07:43.849 kid1| negotiate/negotiateUserRequest.cc(325) 
HandleReply: Need to challenge the client with a server blob 
'TlRMTVNTUAACAAAACQAJADAAAAAGgokAT7KQwRyCYyIAAAAAAAAAAHQAdAA5AAAAV0lOMjAwM1IyAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAAAAAA='
2011/04/10 01:07:43.849 kid1| UserRequest.cc(80) valid: Validating 
AuthUserRequest '0x871dc88'.
2011/04/10 01:07:43.849 kid1| UserRequest.cc(100) valid: Validated. 
AuthUserRequest '0x871dc88'.
2011/04/10 01:07:43.849 kid1| ACLChecklist::asyncInProgress: 0x84cb4d0 async 
set to 0

2011/04/10 01:07:43.849 kid1| cbdataReferenceValid: 0x84cb3e0
2011/04/10 01:07:43.849 kid1| cbdataReferenceValid: 0x8457df8

2011/04/10 01:07:43.849 kid1| ACLChecklist::preCheck: 0x84cb4d0 checking 
'http_access allow authenticate'

2011/04/10 01:07:43.850 kid1| ACLList::matches: checking authenticate
2011/04/10 01:07:43.850 kid1| ACL::checklistMatches: checking 'authenticate'

2011/04/10 01:07:43.850 kid1| UserRequest.cc(80) valid: Validating 
AuthUserRequest '0x871dc88'.
2011/04/10 01:07:43.850 kid1| UserRequest.cc(100) valid: Validated. 
AuthUserRequest '0x871dc88'.
2011/04/10 01:07:43.850 kid1| negotiate/negotiateUserRequest.cc(56) 
authenticated: user not fully authenticated.
2011/04/10 01:07:43.850 kid1| UserRequest.cc(345) authenticate: header 
Negotiate TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=.
2011/04/10 01:07:43.850 kid1| UserRequest.cc(80) valid: Validating 
AuthUserRequest '0x871dc88'.
2011/04/10 01:07:43.850 kid1| UserRequest.cc(100) valid: Validated. 
AuthUserRequest '0x871dc88'.
2011/04/10 01:07:43.850 kid1| negotiate/negotiateUserRequest.cc(56) 
authenticated: user not fully authenticated.
2011/04/10 01:07:43.850 kid1| negotiate/negotiateUserRequest.cc(201) 
authenticate: need to challenge client 
'TlRMTVNTUAACAAAACQAJADAAAAAGgokAT7KQwRyCYyIAAAAAAAAAAHQAdAA5AAAAV0lOMjAwM1IyAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAAAAAA='!





but the client never receives the Proxy-Authorization: line.  I gets lost 
somewhere in the squid code. It works for pure NTLM.




Thank you
Markus


"Markus Moeller" <[email protected]> wrote in message 
news:[email protected]...



"Markus Moeller" <[email protected]> wrote in message 
news:[email protected]...

I did some further tests and noticed the following:

1) IE with squid 3.0 works using my wrapper (See ie-nego-3.0.tgz)
2) Polygraph with squid 3.0 fails for ntlm (either via negotiate-ntlm or
pure ntlm) ( See   polygraph-4.3.1-3.0.tgz



I can get 3.0 to work by adding Connection: Keep-Alive to Polygraphs 
client code.



3) Polygraph with squid 3.2 works for ntlm but fails negotiate-ntlm (See
polygraph-4.3.1-3.2.tgz)



3.2 need still further analysis



Markus


"Markus Moeller" <[email protected]> wrote in message
news:[email protected]...

Hi,

 I try to use my negotiate-wrapper with auth_ntlm and squid-3.2 and see
that the helper returns TT ... and squid logs

2011/03/20 13:08:19.544 kid1| negotiate/negotiateUserRequest.cc(201)
authenticate: need to challenge client
'TlRMTVNTUAACAAAAEgASADAAAAAFgomivxsqHXpxr1kAAAAAAAAAAHQAdABCAAAAVwBJAE4AMgAwADAAMwBSADIAAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAAAAAA='!

but in the wireshark log I don't see a proxy-authenticate header line to
challenge the client.  What could be the reason ?

When I switch to Negotiate-Kerberos everything works.

Attached are the config and log files.

Markus






Markus



























					Reply via email to