-----Message d'origine----- De : Clem [mailto:[email protected]] Envoyé : mardi 3 avril 2012 16:54 À : 'Amos Jeffries' Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
Hi Amos, >What do you mean by "squid is handled only LM" ?? >Windows7 by default should be using Kerberos. It can downgrade to NTLMv2 if >necessary for compatibility with old systems, but no further unless configured >to use weaker security encodings. The fact is, when I enable "use only NTLM" outlook doesn’t connect, two tcp_miss 200 and nothing, same with "use only NTLMv2", when I enable "use LM and NTLM", that works. So I assumed that only LM via squid is working. Without squid, all ntlm versions work ! In XP, no changes in the config, same config in outlook for http proxy, and that works, but in XP by default, we have lm and ntlm in security policies. > Their choice of word "principal" instead of "domain" or "authority" in that settign makes me think that is a Kerberos principal key, rather than a certificate authority or NTLM domain scope. Bad naming on MS part? or something more complex than just NTLM going on? Microsoft says that the principal name = the common name of the certificate, the "issued to" name. -----Message d'origine----- De : Amos Jeffries [mailto:[email protected]] Envoyé : mardi 3 avril 2012 16:05 À : [email protected] Objet : Re: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm On 3/04/2012 11:34 p.m., Clem wrote: > Hi, > > My report with windows7 -> squid -> outlook anywhere with NTLM > > I have to modify Windows7 local policies for lanmanager to -> LM and NTLM > only, by default windows7 sends NTLMv2 only, and squid is handled only LM, > when I chose NTLM only, that doesn't work either. What do you mean by "squid is handled only LM" ?? Windows7 by default should be using Kerberos. It can downgrade to NTLMv2 if necessary for compatibility with old systems, but no further unless configured to use weaker security encodings. > > Plus that, I have to disable the "connect only to server proxy certificate > that use this principal (common) name : msstd : externalfqdn" in HTTP PROXY > of Outlook (2007/2010). Their choice of word "principal" instead of "domain" or "authority" in that settign makes me think that is a Kerberos principal key, rather than a certificate authority or NTLM domain scope. Bad naming on MS part? or something more complex than just NTLM going on? > > With this two settings I can connect to my exchange via squid, but it's not > very easy ... My goal is to not modify parameters on my laptop external > clients... > > When this options aren't modified, the issue is clearly the same, two > TPC_MISS 200 messages and nothing, and "server is unavailable". Even in > http1.0 or http1.1, I've tested with 2.7 (http11 option), 3.1.19 (http 1.0) > and 3.2.0.16 (http1.1) > > How can squid can send ntlmv2 sequences ? How squid can fake a "msstd: CN" > message ? > > Squid can work with XP in native, but with window7 it's not very clearly > simple :// > > Regards > > Clem > > -----Message d'origine----- > De : Clem [mailto:[email protected]] > Envoyé : lundi 2 avril 2012 16:20 > À : [email protected] > Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 > exchange2007 with ntlm > > Does the FRONT_END_HTTPS cache_peer setting make any change to that flags > behaviour? > > Whether I write this option in cache_peer or not, no change ... > > -----Message d'origine----- > De : Amos Jeffries [mailto:[email protected]] Envoyé : lundi 2 avril 2012 > 16:00 À : [email protected] Objet : Re: [squid-users] https > analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm > > On 3/04/2012 1:33 a.m., Clem wrote: >> Re, >> >> I've found the option that generate issue only with windows7, in outlook >> proxy http settings window, we have this checked automatically : connect >> only to server proxy certificate that use this principal (common) name : >> Msstd : externalfqdn >> >> When I uncheck this option, my outlook (2007/2010) can connect trough squid >> with ntlm in my Exchange via outlook anywhere, If it's checked I've got a : >> server is unavailable. >> In windows XP, checked or not, that works. >> >> By the way, after connection to exchange succeed in w7, that option rechecks >> itself automatically ... >> >> The point is, why ? Maybe windows7 is more paranoid with certificate ?? >> >> Have you an idea ? > Strange. Smells like a bug in Windows7 or a domain policy being pushed out. > > Does the FRONT_END_HTTPS cache_peer setting make any change to that flags > behaviour? > > Amos >
