>-----Original Message----- >From: Kris Glynn >Sent: Wednesday, 29 May 2013 1:07 PM >To: [email protected] >Subject: Diffence between NTLM in 2.6 compared to 3.3.5 - Citrix ? > >I've noticed that since upgrading from Squid 2.6 to Squid 3.3.5 the Citrix ICA >Client will no longer authenticate via NTLM to squid 3.3.5 - the ICA client >just keeps popping up asking for NTLM auth - at no stage does it fallback to >basic auth. > >Every other NTLM aware application whether it be IE, Firefox, Chrome and even >curl works fine and can authenticate no problems via NTLM however the Citrix >ICA client just won't work. > >If I change back to squid 2.6 it works fine. Both are using exactly the same >squid.conf with... > ># Pure NTLM Auth - fallback >auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp >auth_param ntlm children 60 startup=15 idle=10 auth_param ntlm keep_alive off > ># BASIC Auth - fallback >auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic >auth_param basic children 10 auth_param basic realm Internet Access auth_param >basic credentialsttl 1 hours > >Has anyone else experienced this?
To answer my own question it was due to Citrix ICA Client (I'm using 13.4.0 - latest version) ignoring "Connection: keep-alive" headers in squid 3.3.x and starting new connection breaking the NTLM auth challenge. Squid 2.6.x sends "Proxy-Connection: keep-alive" with NTLM auth responses which is the only header the Citrix ICA Client appears to accept to maintain keepalive. What RFC can I point Citrix at so I can submit a bug with them to fix their client and accept both headers? Am I correct in saying that Squid 2.6 is a HTTP/1.0 proxy and 3.x are HTTP/1.1 proxies? The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com
