[squid-users] NTLM V2 Set up for Squid issue

Amos Jeffries squid3 at treenet.co.nz
Fri Sep 30 08:05:25 UTC 2022 

On 30/09/22 06:28, K R, Bharath wrote:
> 
> Hi Team,
> 
> We see the below error while configuring Squid for NTLM V2.
> 

FYI: NTLM was formally deprecated by Microsoft on April 2006. It should 
not be used except as a last resort for supporting ancient client software.

Please consider implementing its replacement, Negotiate/Kerberos 
authentication instead.



> 1664469456.486     73 10.65.140.107 *TCP_DENIED/407* 4408 GET 
> http://detectportal.firefox.com/canonical.html 
> <http://detectportal.firefox.com/canonical.html> - HIER_NONE/- text/html
> 

Please be aware that NTLM authentication has the following properties:

  1) each TCP connection needs its own unique handshake.

  2) auth handshake is split over multiple HTTP requests. The first 
several of which *will* receive a 407 response status.

  2) it does not work outside LAN environments


The log provided does not make it clear whether these 407 are the result 
of auth rejection, or just the proxy receiving a lot of new TCP 
connections suddenly.


FWIW, From behaviour seen elsewhere with non-NTLM auth I suspect the 
pattern of detectportal.firefox.com and push.services.mozilla.com 
requests are Firefox automation that runs on opening, but does not try 
to complete auth handshakes initially.
  If you are only seeing these excess of 407 for those domains I would 
ignore as normal.



> 1664469612.625     34 10.65.140.107 TCP_DENIED/407 4326 CONNECT 
> push.services.mozilla.com:443 - HIER_NONE/- text/html
> 
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics 
> --helper-protocol=squid-2.5-ntlmssp --domain=xxxxx.com
> 
> auth_param ntlm children 10
> 
> auth_param ntlm keep_alive off
> 
> auth_param ntlm program /usr/lib/squid/ntlm_auth 
> xxxx.com/xxxxx.informatica.com
> 
> auth_param ntlm children 5
> 
> auth_param ntlm max_challenge_reuses 0
> 
> auth_param ntlm max_challenge_lifetime 2 minutes
> 

FYI, these max_challenge_* parameters have not been supported since 
Squid-2.6.

If you are still using that version or older *PLEASE* upgrade. Current 
supported versions are the Squid-4 and Squid-5 series.



> acl ntlm_users proxy_auth REQUIRED
> 
> http_access allow ntlm_users
> 

This will permit anyone to supply bad credentials and still use the proxy.

I suggest replacing the above line with:

  http_access deny !ntlm_users

... then followup with any policy rules for allowing users.


> #http_access deny all
> 
> NOTE: Our wbinfo component is working as expected.
> 
> We made use of 
> https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm 
> <https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm> for doc.
> 
> Regards,
> 
> Bharath
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list