On 15/06/2011, at 8:09 AM, Amos Jeffries wrote: > On Wed, 15 Jun 2011 08:48:31 +1200, Mike Bordignon (GMI) wrote: >> On 14/06/2011 6:32 p.m., Amos Jeffries wrote: >>> Not another one. Good luck. >>> >>> If you have any influence or contact with the devs of that app please help >>> educate them of the safety issues involved with sending users internal >>> machine logins out over the global Internet. And HTTPS is no longer a >>> guarantee of protection. >>> >>> >> >> I do have access to the devs, but access won't be over the Internet - >> it'll be over a LAN. No problem there. >> >>>> replies with a WWW-Authenticate header. Squid doesn't appear to be >>>> passing through the Authentication headers to the browser. >>> >>> Indicating that Squid has detected the TCP links involved do not support >>> that type of auth. >> >> I've since used Wireshark and it appears I am receiving >> WWW-Authenticate headers. Somewhat confused now. > > Welcome to the party. > > > Could be the security levels don't match between the WebApp server and the > workstation. NTLM has a layering system where the server advertises its > preferred security level, and the workstation agrees or does not respond. > There are five levels, some of which indicate willingness to accept lower > security, some restrict only to that level or higher. > > This has the best explain I've seen so far. Though it does not mention where > Negotiate/Kerberos fits into the layers. > http://technet.microsoft.com/en-us/magazine/2006.08.securitywatch.aspx > > >> >>> >>> pipeline_prefetch is one feature which NTLM auth will break. Make sure that >>> is turned OFF manually. >>> >>> HTTP/1.0 persistent connections is another. Make sure >>> client_persistent_connections is turned ON manually in 3.1 series. Make >>> sure that server_persistent_connections is REMOVED from your config in 3.1 >>> series, and manually turned ON in 3.0 and earlier. >>> >>> >>> After that its cross fingers and hope. If you find anything strange still >>> going on, please mention it. >>> >>> When you encounter a problem the first thing asked will be to verify it on >>> the latest release. It speeds up the fix a bit if that is where its found. >> >> Thanks, I will keep that in mind. I've made the other config changes >> you suggest but still I get prompted for a password by my browser, I >> enter the correct password and again I get the prompt (via Firefox). >> IE is working, however?! > > Which indicates the credentials are fine as is the proxy part of the > transaction. Firefox appears not have security access to the OS properly to > do the background stuff required. 2/3 of NTLM and related protocols is done > in background actions.
If it's working in IE then its probably one of Firefox's NTLM settings. If you enter "about:config" in the address bar of FF and then filter for "ntlm" you will see what options are available. More than likely be the "network.automatic-ntlm-auth.trusted-uris;" option needs the address of the app server listed. > > Amos
smime.p7s
Description: S/MIME cryptographic signature
