[squid-users] TCP_DENIED/407 AD auth

info at schroeffu.ch info at schroeffu.ch
Wed Dec 4 14:37:14 UTC 2019 

Hi Stan,

when you are using NTLM according the latest sentence in https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm (very bottom): 

"Note that when using NTLM authentication, you will see two "TCP_DENIED/407" entries in access.log for every request. This is due to the challenge-response process of NTLM."

So usually any request from end-user through ntlm auth proxy should log a TCP_DENIED/407. If you have websites allowed without authentication in squid.conf before the authentication configuration - of course, these are not logging 407. The real challenge-response thing maybe somebody else can explain that better to you / or link a documentation.

For example I'm running a whitelist configured before the authentication configuration, so i can add domains to allow without NTLM (apple.com domains etc)

acl white_domain dstdomain "/etc/squid/ka/domains_noauth.acl"
http_access allow white_domain

acl white_regexp url_regex -i "/etc/squid/ka/domains_noauth_regex.acl"
http_access allow white_regexp

#Allow fetch intermediate certs before required authentication, guess this is required for SSL BUMP + NTLM
acl fetched_certificate transaction_initiator certificate-fetching
cache allow fetched_certificate
http_access allow fetched_certificate

# NTLM authentication
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --use-cached-creds --offline-logon
(...)(ntlm configuration, check required ldap groups, blablah)
(...)
(...)
(...)

# Allow based on group membership
# Authentication required, otherwise Pop-Up to Basic Auth
acl Authenticated_Users proxy_auth REQUIRED
http_access deny !Authenticated_Users



4. Dezember 2019 15:25, "stancfg" <stancfg at gmail.com> schrieb:

> Hello Schroeffu 
> 
> I fully agree with you, but why some of request are authenticated and some
> are not.
> Is this a normal behavior.
> Thank you for your help.
> 
> Stan
> 
> --
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list