[squid-users] citrix receiver not authenticating with squid

Brendan Kearney bpk678 at gmail.com
Tue Dec 16 19:13:10 UTC 2014 

On Tue, 2014-12-16 at 19:40 +0100, Natxo Asenjo wrote:
> hi,
> 
> we have 2 centos 6 hosts providing a load-balanced squid service
> (behind keepalived and haproxy; haproxy sends requests to both squids)
> and authenticating users against an Active Directory environment. This
> is working really nice.
> 
> Our users log in their desktops and using the negotiate authenticator
> squid_kerb_auth they get automatically logged in the proxies. As a
> fall back for users using them but not logging in to the kerberos AD
> domain, we offer ldap authentication as well. That works fine too.
> 
> However, some of our users need to log in to other organizations
> desktops using the citrix reciever plugin and Internet Explorer. And
> there it fails. The plugin does not use the negotiate authenticator
> apparently so it falls back to the ldap authenticator. This works for
> a few minutes, but after some time the receiver ldap authentication
> pop up re-appears, and then again, and again. Not nice.
> 
> Does anyone have squid working to access citrix vpn sites without this
> problem? Do you know what setting to tweak?
> 
> Could it be that the load-balanced setting is provoking this? Should I
> have the haproxy config as a primary/slave instead of both masters?
> 
> This is a piece of the log file:
> 
> 172.20.4.33 - - [16/Dec/2014:14:59:47 +0100] "CONNECT
> login.site.com:443 HTTP/1.0" 407 3996 "-" "Mozilla/5.0 (compatible;
> MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" TCP_DENIED:NONE
> 172.20.4.33 - - [16/Dec/2014:14:59:48 +0100] "CONNECT
> login.site.com:443 HTTP/1.0" 407 3996 "-" "Mozilla/5.0 (compatible;
> MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" TCP_DENIED:NONE
> 172.20.4.33 - - [16/Dec/2014:14:59:48 +0100] "CONNECT
> login.site.com:443 HTTP/1.0" 407 3996 "-" "Mozilla/5.0 (compatible;
> MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" TCP_DENIED:NONE
> 172.20.4.33 - user at DOMAIN [16/Dec/2014:15:00:03 +0100] "CONNECT
> login.site.com:443 HTTP/1.0" 200 20472 "-" "Mozilla/5.0 (compatible;
> MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" TCP_MISS:DIRECT
> 172.20.4.33 -user at DOMAIN [16/Dec/2014:15:00:03 +0100] "CONNECT
> login.site.com:443 HTTP/1.0" 200 41726 "-" "Mozilla/5.0 (compatible;
> MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" TCP_MISS:DIRECT
> 172.20.4.33 -user at DOMAIN [16/Dec/2014:15:00:28 +0100] "CONNECT
> login.site.com:443 HTTP/1.0" 200 20447 "-" "Mozilla/5.0 (compatible;
> MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" TCP_MISS:DIRECT
> 172.20.4.33 - - [16/Dec/2014:15:01:37 +0100] "CONNECT
> login.site.com:443 HTTP/1.0" 407 3996 "-" "Mozilla/5.0 (compatible;
> MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" TCP_DENIED:NONE
> 172.20.4.33 -user at DOMAIN [16/Dec/2014:15:01:54 +0100] "CONNECT
> login.site.com:443 HTTP/1.0" 200 32958 "-" "Mozilla/5.0 (compatible;
> MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" TCP_MISS:DIRECT
> 
> My squid.conf for completeness
> 
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> 
> auth_param negotiate program /usr/lib/squid/squid_kerb_auth -i -s
> HTTP/proxy.domain.tld at DOMAIN.TLD
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> acl auth proxy_auth REQUIRED
> 
> auth_param basic program /usr/lib/squid/squid_ldap_auth -b
> dc=domain,dc=tld -f "samaccountname=%s" -s sub -D user -W
> /etc/squid/squid_ldap_bi
> nd -h dc1.domain.tld,dc2.domain.tld,dc3.domain.tld -p 3268 -Z
> auth_param basic children 10
> auth_param basic realm Proxy LDAP Authentication
> auth_param basic credentialsttl 8 hours
> 
> acl SSL_ports port 443
> acl SSL_ports port 1494
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> 
> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
> 
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> http_access allow localhost
> 
> http_access deny !auth
> http_access allow auth
> 
> http_access deny all
> 
> # Squid normally listens to port 3128
> http_port 3128
> 
> # We recommend you to use at least the following line.
> hierarchy_stoplist cgi-bin ?
> 
> logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
> "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
> access_log /var/log/squid/combined.log combined
> 
> Thanks in advance.
> 
> --
> Groeten,
> natxo
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

citrix sessions are not SSL sessions, so any bumping will need to exempt
the traffic from inspection.  citrix uses some encryption that is not
considered HTTPS/SSL

are you able to implement NTLM?  we dont run squid at work, but i do
force kerberos auth and fallback to ntlm when we have to.  none of the
users have issues with proxy auth in those cases.  not sure if kerberos
or ntlm auth is used.

are the raw citrix ports (1434 or whatever) being used, or is it being
tunneled over 443?  maybe you need to look at the SSL_PORTS list and add
the raw ports to the list.

More information about the squid-users mailing list