[squid-users] microsoft edge and proxy auth not working

Rafael Akchurin rafael.akchurin at diladele.com
Fri Mar 10 10:35:15 UTC 2017


Hello all,

There is another way (not better but another) that does not require you do join squid machines to domain: Map proxy SPN to a designated user. I describe this at https://docs.diladele.com/administrator_guide_4_9/active_directory/create_user/index.html

Pros - have one user that can be used by farm of squid proxies without the need to join boxes to domain.
Cons - that one user needs to be managed separately from all other users - i.e. you do not want to set the password expiration policy for it - otherwise your exported keytab will be invalid.

My 2 cents.

Rafael Akchurin
Diladele B.V.


-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Mike Surcouf
Sent: Friday, March 10, 2017 10:56 AM
To: 'Rietzler, Markus (RZF, Aufg 324 / <RIETZLER_SOFTWARE>)' <markus.rietzler at fv.nrw.de>; squid-users at lists.squid-cache.org
Subject: Re: [squid-users] microsoft edge and proxy auth not working

Are the browsing machines domain joined?
If so and you are just talking about joining the squid proxies to the domains for auth delegation to the dcs this is greatly simplified with realmd now.
Could probably be scripted quite easily.

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Rietzler, Markus (RZF, Aufg 324 / <RIETZLER_SOFTWARE>)
Sent: 10 March 2017 09:53
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] microsoft edge and proxy auth not working

Kerberos is on the wishlist for very long. 
one reason was: the setup is a bit complicated and we do have 150 proxies in our subsidiaries. so we need 150 different Kerberos setups with 150 trusts and tickets and certificates etc. so we work on this to have it someday replaced...

thanxs

> -----Ursprüngliche Nachricht-----
> Von: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Im 
> Auftrag von Mike Surcouf
> Gesendet: Donnerstag, 9. März 2017 18:58
> An: 'Rafael Akchurin'; Amos Jeffries; 
> squid-users at lists.squid-cache.org
> Betreff: Re: [squid-users] microsoft edge and proxy auth not working
> 
> Hi Rafael
> 
> Is there any reason you can't use Kerberos.
> Note you will need to create a keytab but the setup is not that hard 
> and in the docs.
> I use it very successfully on window AD network.
> 
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
> auth_param negotiate children 20
> auth_param negotiate keep_alive on
> 
> Thanks
> 
> Mike
> 
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org]
> On Behalf Of Rafael Akchurin
> Sent: 09 March 2017 17:01
> To: Amos Jeffries; squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] microsoft edge and proxy auth not working
> 
> Hello Amos, Markus, all,
> 
> Just as a side note - I also suffered  from this error sometime before 
> with Edge and our custom NTLM relay to domain controllers (run as auth 
> helper by Squid). The strange thing it went away after installing some
> (unknown) Windows update.
> 
> I do have the "auth_param ntlm keep_alive off" in the config though.
> 
> It all makes me quite suspicious the error was/is in Edge or in my 
> curly hands.
> 
> Best regards,
> Rafael Akchurin
> Diladele B.V.
> 
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org]
> On Behalf Of Amos Jeffries
> Sent: Thursday, March 9, 2017 5:12 PM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] microsoft edge and proxy auth not working
> 
> On 8/03/2017 11:28 p.m., Rietzler, Markus (RZF, Aufg 324 /
> <RIETZLER_SOFTWARE>) wrote:
> > i should add that we are using squid 3.5.24.
> >
> 
> Try with "auth_param ntlm keep_alive off". Recently the browsers have 
> been needing that.
> 
> Though frankly I am surprised if Edge supports NTLM at all. It was 
> deprecated in April 2006 and MS announced removal was being actively 
> pushed in all thier software since Win7.
> 
> >
> >> -----Ursprüngliche Nachricht-----
> >> Von: Rietzler, Markus
> >>
> >> we have some windows 10 clients using microsoft edge browser.
> >> access to internet is only allowed for authenticated users. we are 
> >> using samba/winbind auth
> >>
> >> auth_param ntlm program /usr/bin/ntlm_auth
> >> --helper-protocol=squid-2.5- ntlmssp auth_param ntlm children 64
> >> startup=24 idle=12 auth_param ntlm keep_alive on acl auth_user 
> >> proxy_auth REQUIRED
> >>
> >> on windows 10 clients with IE11 it is working (with ntlm automatic
> >> auth) on the same machine, with Microsoft edge I get TCP_Denied/407
> message.
> >> seems I only get one single TCP_DENIED/407 line in accesslog and an 
> >> auth dialog pops up. I have disabled basic auth via ntlm.
> >> shouldn't there be 3 lines for proxy auth? with IE11 I see those 
> >> three lines (2x TCP_DENIED/407 and 1x TCP_MISS/200), no popup at all.
> 
> Not specifically. There should be 1+ for NTLM. Success with NTLM shows
> 2+. Failure shows 1 or 3 or infinite loop (hello Safari and Firefox
> 2+30-
> ish).
> 
> 
> >>
> >> winbind/samba itself seems to work, as I can do an user auth 
> >> against apache with winbind/samba - even over some squid proxies 
> >> with connection-auth allowed. but not for proxy-auth.
> >> is there any option in squid.conf which prevents Edge to do a 
> >> successful auth?
> 
> If other software succeeds then the only thing that might be related 
> is the keep-alive option mentioned above. Otherwise the problem is in 
> Edge itself.
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list