[squid-users] microsoft edge and proxy auth not working
Brendan Kearney
bpk678 at gmail.com
Thu Mar 9 19:22:04 UTC 2017
adding this back to the mailing list, for the benefit of those who
search for it.
i do not have simple and easy to use instructions for mac os x and linux
participation in AD. it is not a simple task. on linux, you will need
to look into SSSD (Simple Security Services Daemon) and understand that
process.
i have a mac for work, and it is a domain member object, so i know it
can be done. i dont know how it is done, and would think there are
internet articles that you can search for on the subject.
On 03/09/2017 02:13 PM, Rafael Akchurin wrote:
> Hello Brendan,
>
> Yes by default we have NTLM disabled :)
>
> Unfortunately we must keep the proxy solution in parity with DC capabilities in AD which luckily still support NTLM authentication through LDAP.
>
> This allows us to relay the tokens without Samba as I described in previous mail.
>
> BTW if you could share the ready to use (simple) instructions to have Kerberous auth supported ftom Mac/iPhone/iPad and Linux (Ubuntu/CentOS) it would be beneficial to all.
>
> Best regards,
> Rafael Akchurin
>
>> Op 9 mrt. 2017 om 19:47 heeft Brendan Kearney <bpk678 at gmail.com> het volgende geschreven:
>>
>>> On 03/09/2017 01:17 PM, Rafael Akchurin wrote:
>>> The thing is, when you got some machines in your network which are not joined to the domain (think apple, linux) you still need NTLM support on proxy :(
>>>
>>> And having full blown Samba just because of those few is too much of admin's hassle - so we had to write NTLM relay that would rebind to domain controller with LDAP protocol passing NTLM token back and forth.
>>>
>>> Joining Squid proxy to the domain (which is required to authenticate using Samba/NTLM) also prevents from successful reverts from vm snapshots after 30 days and requires rejoin - thus preventing us from creating easily provisioned/thrown away scalable web filter / proxy instances (think docker).
>>>
>>> Best regards,
>>> Rafael Akchurin
>>>
>>>> Op 9 mrt. 2017 om 19:09 heeft Mike Surcouf <mikes at surcouf.co.uk> het volgende geschreven:
>>>>
>>>> Ah OK sorry
>>>> I am curious why you have a reason to use NTLM over Kerberos? :-)
>>>>
>>>> -----Original Message-----
>>>> From: Rafael Akchurin [mailto:rafael.akchurin at diladele.com]
>>>> Sent: 09 March 2017 18:01
>>>> To: Mike Surcouf
>>>> Cc: Amos Jeffries; squid-users at lists.squid-cache.org
>>>> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>>>>
>>>> Hello Mike,
>>>>
>>>> I specifically was debugging our NTLM implementation with Edge :)
>>>>
>>>> Kerberos works just fine, you are correct.
>>>>
>>>> Best regards,
>>>> Rafael Akchurin
>>>>
>>>>> Op 9 mrt. 2017 om 18:57 heeft Mike Surcouf <mikes at surcouf.co.uk> het volgende geschreven:
>>>>>
>>>>> Hi Rafael
>>>>>
>>>>> Is there any reason you can't use Kerberos.
>>>>> Note you will need to create a keytab but the setup is not that hard and in the docs.
>>>>> I use it very successfully on window AD network.
>>>>>
>>>>> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
>>>>> auth_param negotiate children 20
>>>>> auth_param negotiate keep_alive on
>>>>>
>>>>> Thanks
>>>>>
>>>>> Mike
>>>>>
>>>>> -----Original Message-----
>>>>> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org]
>>>>> On Behalf Of Rafael Akchurin
>>>>> Sent: 09 March 2017 17:01
>>>>> To: Amos Jeffries; squid-users at lists.squid-cache.org
>>>>> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>>>>>
>>>>> Hello Amos, Markus, all,
>>>>>
>>>>> Just as a side note - I also suffered from this error sometime before with Edge and our custom NTLM relay to domain controllers (run as auth helper by Squid). The strange thing it went away after installing some (unknown) Windows update.
>>>>>
>>>>> I do have the "auth_param ntlm keep_alive off" in the config though.
>>>>>
>>>>> It all makes me quite suspicious the error was/is in Edge or in my curly hands.
>>>>>
>>>>> Best regards,
>>>>> Rafael Akchurin
>>>>> Diladele B.V.
>>>>>
>>>>> -----Original Message-----
>>>>> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org]
>>>>> On Behalf Of Amos Jeffries
>>>>> Sent: Thursday, March 9, 2017 5:12 PM
>>>>> To: squid-users at lists.squid-cache.org
>>>>> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>>>>>
>>>>> On 8/03/2017 11:28 p.m., Rietzler, Markus (RZF, Aufg 324 /
>>>>> <RIETZLER_SOFTWARE>) wrote:
>>>>>> i should add that we are using squid 3.5.24.
>>>>>>
>>>>> Try with "auth_param ntlm keep_alive off". Recently the browsers have been needing that.
>>>>>
>>>>> Though frankly I am surprised if Edge supports NTLM at all. It was deprecated in April 2006 and MS announced removal was being actively pushed in all thier software since Win7.
>>>>>
>>>>>>> -----Ursprüngliche Nachricht-----
>>>>>>> Von: Rietzler, Markus
>>>>>>>
>>>>>>> we have some windows 10 clients using microsoft edge browser.
>>>>>>> access to internet is only allowed for authenticated users. we are
>>>>>>> using samba/winbind auth
>>>>>>>
>>>>>>> auth_param ntlm program /usr/bin/ntlm_auth
>>>>>>> --helper-protocol=squid-2.5- ntlmssp auth_param ntlm children 64
>>>>>>> startup=24 idle=12 auth_param ntlm keep_alive on acl auth_user
>>>>>>> proxy_auth REQUIRED
>>>>>>>
>>>>>>> on windows 10 clients with IE11 it is working (with ntlm automatic
>>>>>>> auth) on the same machine, with Microsoft edge I get TCP_Denied/407 message.
>>>>>>> seems I only get one single TCP_DENIED/407 line in accesslog and an
>>>>>>> auth dialog pops up. I have disabled basic auth via ntlm.
>>>>>>> shouldn't there be 3 lines for proxy auth? with IE11 I see those
>>>>>>> three lines (2x TCP_DENIED/407 and 1x TCP_MISS/200), no popup at all.
>>>>> Not specifically. There should be 1+ for NTLM. Success with NTLM shows
>>>>> 2+. Failure shows 1 or 3 or infinite loop (hello Safari and Firefox 30-ish).
>>>>>
>>>>>
>>>>>>> winbind/samba itself seems to work, as I can do an user auth against
>>>>>>> apache with winbind/samba - even over some squid proxies with
>>>>>>> connection-auth allowed. but not for proxy-auth.
>>>>>>> is there any option in squid.conf which prevents Edge to do a
>>>>>>> successful auth?
>>>>> If other software succeeds then the only thing that might be related is the keep-alive option mentioned above. Otherwise the problem is in Edge itself.
>>>>>
>>>>> Amos
>>>>>
>>>>> _______________________________________________
>>>>> squid-users mailing list
>>>>> squid-users at lists.squid-cache.org
>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>> _______________________________________________
>>>>> squid-users mailing list
>>>>> squid-users at lists.squid-cache.org
>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>> mac os x and linux can be joined to the domain and use kerberos auth. it sounds like you have a "dont want to" situation, instead of a "cannot" situation there.
>>
>> when both kerberos and ntlm are advertised as supported by the proxy, the client will negotiate which auth method is used. when both the client and the proxy support kerberos, that will be used. if the client is then not able to pull a ticket from the directory to satisfy the kerberos auth to the proxy, the auth fails. the fall back to ntlm as the auth method will not occur in this situation.
>>
>> ntlm will only be used if one or both of the parties does not support kerberos, and therefore the negotiated auth method chosen is not kerberos.
>>
>> in Edge, disable the IWA (Integrated Windows Authentication) under Advanced settings, and close/relaunch any browser windows. this should get you using only ntlm. effectively, you are forcing the client to not support kerberos and preventing that auth method from being negotiated for use.
>>
>> hth,
>>
>> brendan
>>
More information about the squid-users
mailing list