[squid-users] NTLM authentication problems with HTTP 1.1

Samuel Anderson sam at idsdoc.com
Wed Apr 8 15:20:45 UTC 2015 

Hello all,


I'm having a problem where HTTP 1.1 connect requests do not authenticate
using NTLM. Browsing the internet works fine in all major browsers, I
mostly see this occurring in programs that are installed locally on a users
computer. Using wireshark I'm able to follow the TCP stream and I can see
that the server returns the error (407 Proxy Authentication Required). I am
able to work around this problem by explicitly bypassing a domain from
requiring authentication, however I really don't want to do that. Any ideas
would be appreciated very much.

Thanks,


Below is the content summery of some of the network packets that I'm
working with along with my config file

TCP Stream Content

####################
CONNECT batch.internetpostage.com:443 HTTP/1.1
Host: batch.internetpostage.com
Proxy-Connection: Keep-Alive


HTTP/1.1 407 Proxy Authentication Required
Server: squid/3.3.8
Mime-Version: 1.0
Date: Tue, 07 Apr 2015 21:02:24 GMT
Content-Type: text/html
Content-Length: 3208
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate: Negotiate
Proxy-Authenticate: NTLM
X-Cache: MISS from squid2.****.local
X-Cache-Lookup: NONE from squid2.****.local:3128
Via: 1.1 squid2.****.local (squid/3.3.8)
Connection: close
####################

CONFIG File

####################

#Kerberos and NTLM authentication

auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=****.LOCAL --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d
-s GSS_C_NO_NAME
auth_param negotiate children 30
auth_param negotiate keep_alive off

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --domain=****
auth_param ntlm children 30
auth_param ntlm keep_alive off

# AD group membership lookup

external_acl_type ldap_group ttl=60 children-startup=10 children-max=50
children-idle=2 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b
"DC=****,DC=local" -D "CN=SQUID,OU=**** Service Accounts,DC=****,DC=local"
-w "****" -f "(&(objectclass=person)
(sAMAccountname=%v)(memberof=CN=%a,OU=PROXY,ou=ALL **** Groups,DC=****
,DC=local))" -h dc1.****.local,dc2.****.local,dc3.****.local,dc4.****.local

# auth required

acl auth proxy_auth REQUIRED
http_access deny !auth all

####################

-- 
Samuel Anderson  |  Information Technology Administrator  |  International
Document Services

IDS  |  11629 South 700 East, Suite 200  |  Draper, UT 84020-4607

-- 
CONFIDENTIALITY NOTICE:
This e-mail and any attachments are confidential. If you are not an 
intended recipient, please contact the sender to report the error and 
delete all copies of this message from your system.  Any unauthorized 
review, use, disclosure or distribution is prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150408/e5302192/attachment-0001.html>

More information about the squid-users mailing list