Gavin McCullagh wrote:
Hi,
On Tue, 25 Aug 2009, Truth Seeker wrote:
I have squid-3.0.STABLE13-1.el5 on CentOS 5.3 which is authenticating with 2003
AD (kerb + winbind) and have different acls (group based) in place.
The problem is, java is not working for our users. Previously they all were
using ISA, and java was working for them.
in the following site;
http://www.dailyfx.com/ 3rd coloumn in the right side shows the "Live currency rates" which is working with java. This is a must in our environment...
Awaiting your response...
We have a similar setup on one VLAN, with squid on linux authenticating
users using active directory. We've seen lots of issues with Java not
being able to authenticate.
Testing the page you're talking about (albeit with a linux desktop), I get
a java popup window asking me for my AD username/password/domain, I type it
in but repeatedly it fails.
The squid access.log says:
1251204847.837 0 172.16.1.3 TCP_DENIED/407 1846 CONNECT
balancer.netdania.com:443 - NONE/- text/html
1251204847.842 0 172.16.1.3 TCP_DENIED/407 1846 CONNECT
balancer.netdania.com:443 - NONE/- text/html
I'm not sure if these lines in cache.log are relevant or not.
[2009/08/25 13:42:00, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
got NTLMSSP command 3, expected 1
[2009/08/25 13:42:00, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
got NTLMSSP command 3, expected 1
[2009/08/25 13:42:01, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
got NTLMSSP command 3, expected 1
[2009/08/25 13:42:01, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
got NTLMSSP command 3, expected 1
[2009/08/25 13:47:02, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
got NTLMSSP command 3, expected 1
My usual workaround is to add an ACL for that site which is far from ideal.
I've added the following ACL:
acl dailyfx dstdomain balancer.netdania.com
http_access allow dailyfx CONNECT
That works around the issue for me. I still get prompted for the username
and password and the logs suggest some traffic isn't getting through.
1251205769.600 14385 172.16.1.3 TCP_MISS/000 7263 CONNECT
balancer.netdania.com:443 - FIRST_UP_PARENT/172.20.2.3 - 1251205771.233 1
172.16.1.3 TCP_DENIED/407 1954 GET
http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html
1251205771.239 3 172.16.1.3 TCP_DENIED/407 1969 GET
http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html
1251205771.516 277 172.16.1.3 TCP_MISS/200 1443 GET
http://balancer.netdania.com/StreamingServer/StreamingServer? gavinmc
FIRST_UP_PARENT/172.20.2.3 application/zip
1251205774.813 55 172.16.1.3 TCP_DENIED/407 1954 GET
http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html
1251205774.816 0 172.16.1.3 TCP_DENIED/407 1969 GET
http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html
1251205776.537 1721 172.16.1.3 TCP_MISS/200 1125 GET
http://balancer.netdania.com/StreamingServer/StreamingServer? gavinmc
FIRST_UP_PARENT/172.20.2.3 application/zip
1251205779.681 1 172.16.1.3 TCP_DENIED/407 1954 GET
http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html
1251205779.685 1 172.16.1.3 TCP_DENIED/407 1969 GET
http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html
If I drop the word CONNECT I get no errors at all, but that disables
authentication entirely for that site.
There is definitely some issue with austhentication and Java. I'm not sure
if it might actually be Authentication+Java+SSL. Our problems are
generally with java-driven online banking applications.
Gavin
Probably not java+auth+SSL if the normal requests still fail the same way.
java + proxy auth in general is a known issue with certain versions of
Java. Thus the age-old 'browser' ACL for allowing Java seen in tutorials
all over the web.
I've heard rumours of newer versions doing better and fixing various
things. But no idea which versions, if its fully fixed or just
half-fixed for some protocols/requests.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
Current Beta Squid 3.1.0.13
