[squid-users] Squid/NTLM Auth

Keith White keith.white at emdmillipore.com
Fri Nov 6 19:41:02 UTC 2015

I ran a couple of packet captures and I seen the 407 from the proxy back to the client and the corresponding NTLMSSP_AUTH from the client back to the proxy with my DOMAIN\USER. After this is some Kerberos traffic and then the 407 pops up again.



-----Original Message-----
From: Amos Jeffries [mailto:squid3 at treenet.co.nz]
Sent: Monday, October 26, 2015 4:24 PM
To: Keith White <keith.white at emdmillipore.com>; squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid/NTLM Auth

On 24/10/2015 1:44 a.m., Keith White wrote:
> I changed around the DNS servers and still no luck.  This also popped
> up in the log
> Acl.cc(70) AuthenticateAcl: returning 2 sending credentials to helper.
> 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked:
> AuthorizedUsers = -1 async
> 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked:
> http_access#3 = -1 async
> 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked:
> http_access = -1 async
> 2015/10/23 05:41:35.259 kid1| ERROR: NTLM Authentication validating
> user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL
> 2015/10/23 05:41:35.260 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x12c1f10'.

IIRC that BH response happens when the helper gets a type-3 token without having been part of the handshake dance that led up to it. The helpers are stateful and the same one needs to be part of the whole handshake.

That can happen if the connection is closed for some reasons after the
type-2 token is sent, and the client is brokenly continuing on a new connection (Firefox is known to do that, others might too).

The connection is allowed to close after the initial 407 challenge. Some clients are broken and require that to happen - which is where the "auth_param ntlm keep_alive off" setting helps.

But not once the type-2 token is sent on the second 407. Squid should be enforcing a persistent TCP connection from then onwards.

The nextstep is to look at either the HTTP messages or the TCP packet level to find out what (if anything) is closing the connection between the type-2 and type-3 token messages thats probably your problem.


This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you must not copy this message or attachment or disclose the contents to any other person. If you have received this transmission in error, please notify the sender immediately and delete the message and any attachment from your system. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept liability for any omissions or errors in this message which may arise as a result of E-Mail-transmission or for damages resulting from any unauthorized changes of the content of this message and any attachment thereto. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not guarantee that this message is free of viruses and does not accept liability for any damages caused by any virus transmitted therewith.

Click http://www.merckgroup.com/disclaimer to access the German, French, Spanish and Portuguese versions of this disclaimer.

More information about the squid-users mailing list