Re: [squid-users] proxy-auth NTLM stop working

Wed, 11 May 2011 19:00:26 -0700 

On 12/05/11 02:34, Ricardo Nuno wrote:

Okay to Basic auth protocol works. Now what about the other two? you have
Negotiate configured as first option and NTLM configured as second.
  It is *entirely* up to the browser which of the three options it picks to
use.
  - IE is known only to pick the first it can use and not failover.
  - Recent windows OS will not respond to NTLM by default.

Or it could be a simpler failure in the helpers looking up the other
protocols tokens.


Actually i narrowed the problem down it's even more weird than i tough.
All machines joined in the domain have no issues with the squid_kerb_auth.

We use WPAD on our network by DNS alias for Firefox and by DHCP for IE.

The machines not joined in the domain using IE8 or IE7 for NTLM helper to work
I had to the the following:

In Internet Options->Connections->  LAN settings:
* Remove the check from "Automatically detect settings" (Witch is
crucial for WPAD)
* Introduce proxy host and port manually

In Internet Options->Advanced->Settings:
* Remove the check from "Enable Integrated Windows Authentication"

restart IE and it starts working again with no changes on squid or samba config.
What you have done with "Enable Integrated Windows Authentication" is disable SSO form using the windows box login token to also login to the proxy. The token is tightly bound to the particular username and password spelling, domain name, and encryption hash algorithm.
This is reminding me of some earlier comments (just a few months ago) about Windows 7 silently moving Kerberos tickets to a new form of AES hash algorithm some older OpenSSL do not support. 



So some update changed the behavior of IE in this last 2 months i will
try to find out witch one. Any clues?

The way Windows 7 handles NTML was a known issue for me that I
normally change in Local Security Policy
or in the joined domain machines i handle it with GPO.

Is there any know issue with WPAD implementation on IE?
Only a very old bug about IE cropping one byte from the WPAD filename if the extension was >3 bytes. And old IE not understanding the IPv6 java extensions to PAC. 
 Neither of those should be relevant.


Is there any other helper i can use that could do kerberos auth and
fall-back to NTML?
The negotiate_wrapper might help, but only if you are seeing complaints about unexpected token types in your cache.log. 

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.7 and 3.1.12.1

Reply via email to