[squid-users] Debugging NTLM problem

Amos Jeffries squid3 at treenet.co.nz
Wed Aug 31 15:10:58 UTC 2016 

On 1/09/2016 12:37 a.m., akn ab wrote:
> Dear all,
> i'm facing a strange problem using squid 3.5.20 with ntlm transparent 
> authentication.
> I cannot use kerberos auth because i need to pass DOMAIN\user to my parent proxy 
> with x-authenticated-user header, and the form USERNAME at DOMAIN is not supported.
> Users can surf the web without problems but, sometimes, they receive request 
> credential popup from browser (explorer, edge, mozilla and chrome it does not 
> matter).
> auth_param ntlm program /usr/local/samba/bin/ntlm_auth 
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 300 startup=200 idle=10 concurrency=0
> auth_param ntlm keep_alive on
> auth_param basic program /usr/local/samba/bin/ntlm_auth 
> --helper-protocol=squid-2.5-basic
> auth_param basic children 25 startup=15 idle=5 concurrency=0
> auth_param basic realm PROXY AUTHORIZATION REQUIRED
> auth_param basic credentialsttl 30 minutes
> authenticate_cache_garbage_interval 1 hours
> authenticate_ttl 30 minutes
> authenticate_ip_ttl 30 minutes
>
> I migrated from squid 2.6.x and, with similar configuration, the required 
> credentials was displayed only when the password was expired.
> In this situation,  users must click on abort button many times to restore a 
> good situation, but i cannot understand why the request popup suddenly.
> Is this a credentials cache timeout problm (authenticate_ttl 30 minutes)?

Maybe. If so its not an NTLM problem since NTLM credentials are "cached"
by being tied to the TCP connection state, not stored in a regular cache
like Basic auth credentials.

I suggest trying:
  auth_param ntlm keep_alive off

Squid-3 is now HTTP/1.1 which behaves a bit differently with persistent
connectiosn than HTTP/1.0 did. Which affects the pile of nasty hacks
needed to make NTLM work over HTTP.

> Is this a problem in the browser?

Yes, at least partially. The popup only occurs when the browser thinks
none of its credentials are valid to send to the proxy. Why it thinks
that might be a browser bug or a Squid bug. Or just the way NTLM behaves
in some HTTP message circumstances.

> Is this a comunication problem with squind and Active Directory?

Unlikely. It's more probably between Squid and browser. Squid only
interacts with AD at the start of a new TCP connection, or when NTLM is
started on an existing connection.

It could be browser sending unacceptible credentials (eg. the users
machine's account instead of the users own account) then deciding NTLM
is unusable.

It could be the browser failing to send the right NTLM token for Squid
to check against the existing known credentials tied to the connection.


> I would like to undestrand why, so i need advices to start debug and find a 
> solution.

<http://wiki.squid-cache.org/KnowledgeBase/DebugSections>

Section 29 is the various authenticators. You will also need the ACL
processing section and results.

Amos

More information about the squid-users mailing list