[squid-users] citrix receiver not authenticating with squid

Natxo Asenjo natxo.asenjo at gmail.com
Tue Dec 16 18:40:24 UTC 2014 

hi,

we have 2 centos 6 hosts providing a load-balanced squid service
(behind keepalived and haproxy; haproxy sends requests to both squids)
and authenticating users against an Active Directory environment. This
is working really nice.

Our users log in their desktops and using the negotiate authenticator
squid_kerb_auth they get automatically logged in the proxies. As a
fall back for users using them but not logging in to the kerberos AD
domain, we offer ldap authentication as well. That works fine too.

However, some of our users need to log in to other organizations
desktops using the citrix reciever plugin and Internet Explorer. And
there it fails. The plugin does not use the negotiate authenticator
apparently so it falls back to the ldap authenticator. This works for
a few minutes, but after some time the receiver ldap authentication
pop up re-appears, and then again, and again. Not nice.

Does anyone have squid working to access citrix vpn sites without this
problem? Do you know what setting to tweak?

Could it be that the load-balanced setting is provoking this? Should I
have the haproxy config as a primary/slave instead of both masters?

This is a piece of the log file:

172.20.4.33 - - [16/Dec/2014:14:59:47 +0100] "CONNECT
login.site.com:443 HTTP/1.0" 407 3996 "-" "Mozilla/5.0 (compatible;
MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" TCP_DENIED:NONE
172.20.4.33 - - [16/Dec/2014:14:59:48 +0100] "CONNECT
login.site.com:443 HTTP/1.0" 407 3996 "-" "Mozilla/5.0 (compatible;
MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" TCP_DENIED:NONE
172.20.4.33 - - [16/Dec/2014:14:59:48 +0100] "CONNECT
login.site.com:443 HTTP/1.0" 407 3996 "-" "Mozilla/5.0 (compatible;
MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" TCP_DENIED:NONE
172.20.4.33 - user at DOMAIN [16/Dec/2014:15:00:03 +0100] "CONNECT
login.site.com:443 HTTP/1.0" 200 20472 "-" "Mozilla/5.0 (compatible;
MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" TCP_MISS:DIRECT
172.20.4.33 -user at DOMAIN [16/Dec/2014:15:00:03 +0100] "CONNECT
login.site.com:443 HTTP/1.0" 200 41726 "-" "Mozilla/5.0 (compatible;
MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" TCP_MISS:DIRECT
172.20.4.33 -user at DOMAIN [16/Dec/2014:15:00:28 +0100] "CONNECT
login.site.com:443 HTTP/1.0" 200 20447 "-" "Mozilla/5.0 (compatible;
MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" TCP_MISS:DIRECT
172.20.4.33 - - [16/Dec/2014:15:01:37 +0100] "CONNECT
login.site.com:443 HTTP/1.0" 407 3996 "-" "Mozilla/5.0 (compatible;
MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" TCP_DENIED:NONE
172.20.4.33 -user at DOMAIN [16/Dec/2014:15:01:54 +0100] "CONNECT
login.site.com:443 HTTP/1.0" 200 32958 "-" "Mozilla/5.0 (compatible;
MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" TCP_MISS:DIRECT

My squid.conf for completeness

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

auth_param negotiate program /usr/lib/squid/squid_kerb_auth -i -s
HTTP/proxy.domain.tld at DOMAIN.TLD
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED

auth_param basic program /usr/lib/squid/squid_ldap_auth -b
dc=domain,dc=tld -f "samaccountname=%s" -s sub -D user -W
/etc/squid/squid_ldap_bi
nd -h dc1.domain.tld,dc2.domain.tld,dc3.domain.tld -p 3268 -Z
auth_param basic children 10
auth_param basic realm Proxy LDAP Authentication
auth_param basic credentialsttl 8 hours

acl SSL_ports port 443
acl SSL_ports port 1494
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

http_access allow localhost

http_access deny !auth
http_access allow auth

http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/combined.log combined

Thanks in advance.

--
Groeten,
natxo

More information about the squid-users mailing list