[squid-users] NTLM authentication problems with HTTP 1.1

brendan kearney bpk678 at gmail.com
Wed Apr 8 17:20:35 UTC 2015


Note the lack of a user-agent string.  This is likely an app that cannot
authenticate.

My standard for Auth Bypass is source IP, user-agent string and destination
URL.  Generally the source is preferred to be statically assigned otherwise
you need to allow the entire dhcp pool or range.  Because there is no
user-agent you can drop the requirement or force it with some sort of
negated logic (!any)
On Apr 8, 2015 11:21 AM, "Samuel Anderson" <sam at idsdoc.com> wrote:

> Hello all,
>
>
> I'm having a problem where HTTP 1.1 connect requests do not authenticate
> using NTLM. Browsing the internet works fine in all major browsers, I
> mostly see this occurring in programs that are installed locally on a users
> computer. Using wireshark I'm able to follow the TCP stream and I can see
> that the server returns the error (407 Proxy Authentication Required). I am
> able to work around this problem by explicitly bypassing a domain from
> requiring authentication, however I really don't want to do that. Any ideas
> would be appreciated very much.
>
> Thanks,
>
>
> Below is the content summery of some of the network packets that I'm
> working with along with my config file
>
> TCP Stream Content
>
> ####################
> CONNECT batch.internetpostage.com:443 HTTP/1.1
> Host: batch.internetpostage.com
> Proxy-Connection: Keep-Alive
>
>
> HTTP/1.1 407 Proxy Authentication Required
> Server: squid/3.3.8
> Mime-Version: 1.0
> Date: Tue, 07 Apr 2015 21:02:24 GMT
> Content-Type: text/html
> Content-Length: 3208
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> Proxy-Authenticate: Negotiate
> Proxy-Authenticate: NTLM
> X-Cache: MISS from squid2.****.local
> X-Cache-Lookup: NONE from squid2.****.local:3128
> Via: 1.1 squid2.****.local (squid/3.3.8)
> Connection: close
> ####################
>
> CONFIG File
>
> ####################
>
> #Kerberos and NTLM authentication
>
> auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm
> /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
> --domain=****.LOCAL --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d
> -s GSS_C_NO_NAME
> auth_param negotiate children 30
> auth_param negotiate keep_alive off
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp --domain=****
> auth_param ntlm children 30
> auth_param ntlm keep_alive off
>
> # AD group membership lookup
>
> external_acl_type ldap_group ttl=60 children-startup=10 children-max=50
> children-idle=2 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b
> "DC=****,DC=local" -D "CN=SQUID,OU=**** Service Accounts,DC=****,DC=local"
> -w "****" -f "(&(objectclass=person)
> (sAMAccountname=%v)(memberof=CN=%a,OU=PROXY,ou=ALL **** Groups,DC=****
> ,DC=local))" -h dc1.****.local,dc2.****.local,dc3.****.local,dc4.****.local
>
> # auth required
>
> acl auth proxy_auth REQUIRED
> http_access deny !auth all
>
> ####################
>
> --
> Samuel Anderson  |  Information Technology Administrator  |  International
> Document Services
>
> IDS  |  11629 South 700 East, Suite 200  |  Draper, UT 84020-4607
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail and any attachments are confidential. If you are not an
> intended recipient, please contact the sender to report the error and
> delete all copies of this message from your system.  Any unauthorized
> review, use, disclosure or distribution is prohibited.
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150408/b5b5df16/attachment.html>


More information about the squid-users mailing list