[squid-users] NTLM authentication problems with HTTP 1.1

Amos Jeffries squid3 at treenet.co.nz
Thu Apr 9 01:31:20 UTC 2015 

On 9/04/2015 3:20 a.m., Samuel Anderson wrote:
> Hello all,
> 
> 
> I'm having a problem where HTTP 1.1 connect requests do not authenticate
> using NTLM. Browsing the internet works fine in all major browsers, I
> mostly see this occurring in programs that are installed locally on a users
> computer. Using wireshark I'm able to follow the TCP stream and I can see
> that the server returns the error (407 Proxy Authentication Required). I am
> able to work around this problem by explicitly bypassing a domain from
> requiring authentication, however I really don't want to do that. Any ideas
> would be appreciated very much.
> 
> Thanks,
> 
> 
> Below is the content summery of some of the network packets that I'm
> working with along with my config file
> 
> TCP Stream Content
> 
> ####################
> CONNECT batch.internetpostage.com:443 HTTP/1.1
> Host: batch.internetpostage.com
> Proxy-Connection: Keep-Alive

Note the absence of Proxy-Authorization. This is the very start of the
auth sequence...

> 
> HTTP/1.1 407 Proxy Authentication Required
> Server: squid/3.3.8
> Mime-Version: 1.0
> Date: Tue, 07 Apr 2015 21:02:24 GMT
> Content-Type: text/html
> Content-Length: 3208
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> Proxy-Authenticate: Negotiate
> Proxy-Authenticate: NTLM
> X-Cache: MISS from squid2.****.local
> X-Cache-Lookup: NONE from squid2.****.local:3128
> Via: 1.1 squid2.****.local (squid/3.3.8)
> Connection: close

... Squid responds by indicating auth is required and what types may be
used.

This is a perfectly normal and working stage-1 of any authentication
type. Including the fact the TCP connection is closed.

NTLM handshake stage-2 begins on a new TCP connection with the client
sending a repeat of the CONNECT request but containing the type-1
credentials token. Squid responds with a type-2 credentials token. Then
the client repeats the CONNECT for a third time with at type-3
credentials token, which Squid either accepts or rejects.


> ####################
> 
> CONFIG File
> 
> ####################
> 
<snip>
> # auth required
> 
> acl auth proxy_auth REQUIRED
> http_access deny !auth all

The "all" here is probably why your authetication is failing. What it
does is prevent Squid emitting the stage-3 NTLM handshake response.

Amos

More information about the squid-users mailing list