Authenticating to sharepoint NTLM

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Authenticating to sharepoint NTLM

Simon Dwyer
Hi all,

I have just implemented squid with kerberos + ntlm + basic
authentication.

I have just been told accessing a sharepoint website on the internet has
stopped working.

It seems the site is running NTLM authentcation.

I have wiresharked the traffic on the proxy and can see the request come
in from the client then out to the web server and the NTLM fields are
left in place.

The sharepoint server is responding with a 401 unauthroized.

Where would be the next place to start looking?

I am running 3.1.10.

Thanks all,

Simon

Reply | Threaded
Open this post in threaded view
|

Re: Authenticating to sharepoint NTLM

Javier Conti
On 18 April 2012 07:33, Simon Dwyer <[hidden email]> wrote:

> Hi all,
>
> I have just implemented squid with kerberos + ntlm + basic
> authentication.
>
> I have just been told accessing a sharepoint website on the internet has
> stopped working.
>
> It seems the site is running NTLM authentcation.
>
> I have wiresharked the traffic on the proxy and can see the request come
> in from the client then out to the web server and the NTLM fields are
> left in place.
>
> The sharepoint server is responding with a 401 unauthroized.
>
> Where would be the next place to start looking?

Are you trying with Windows 7 clients? If yes, have you tried with a Windows
XP one?

I'm facing the same problem (getting Integrated Windows Authentication to
work through Squid) and as long as clients are Windows XP it works fine.

If this is the case, I can tell you that we already tried to lower the
security settings in Windows 7 to something comparable to those of Windows
XP but still see differences in behaviour (and still have the problem)...

Regards, Javier

PS: excuse me OP if the message went through twice, but Andoird doesn't
let me send plain text emails and the first one got bounced :(

>
> I am running 3.1.10.
>
> Thanks all,
>
> Simon
>
Reply | Threaded
Open this post in threaded view
|

Re: Authenticating to sharepoint NTLM

cl00m
Hello,

Try to set "Send LM & NTLM - use NTLMv2 session security if negotiated"
in local policies (secpol.msc)

Go to: Local Policies > Security Options

Find "Network Security: LAN Manager authentication level"

Change Setting from "Send NTLMv2 response only"
to
"Send LM & NTLM - use NTLMv2 session security if negotiated"

Good luck !


Clem

Le 18/04/2012 18:51, Javier Conti a écrit :

> On 18 April 2012 07:33, Simon Dwyer<[hidden email]>  wrote:
>> Hi all,
>>
>> I have just implemented squid with kerberos + ntlm + basic
>> authentication.
>>
>> I have just been told accessing a sharepoint website on the internet has
>> stopped working.
>>
>> It seems the site is running NTLM authentcation.
>>
>> I have wiresharked the traffic on the proxy and can see the request come
>> in from the client then out to the web server and the NTLM fields are
>> left in place.
>>
>> The sharepoint server is responding with a 401 unauthroized.
>>
>> Where would be the next place to start looking?
> Are you trying with Windows 7 clients? If yes, have you tried with a Windows
> XP one?
>
> I'm facing the same problem (getting Integrated Windows Authentication to
> work through Squid) and as long as clients are Windows XP it works fine.
>
> If this is the case, I can tell you that we already tried to lower the
> security settings in Windows 7 to something comparable to those of Windows
> XP but still see differences in behaviour (and still have the problem)...
>
> Regards, Javier
>
> PS: excuse me OP if the message went through twice, but Andoird doesn't
> let me send plain text emails and the first one got bounced :(
>
>> I am running 3.1.10.
>>
>> Thanks all,
>>
>> Simon
>>
Reply | Threaded
Open this post in threaded view
|

Re: Authenticating to sharepoint NTLM

Simon Dwyer
I have seen this problem on a windows 7 and a Fedora 16 machine.  I
think i can rule out the windows machine for once ;)

I am using FF on the linux machine... is that known to have double ntlm
issues?

Simon

On Wed, 2012-04-18 at 19:36 +0200, Clem wrote:

> Hello,
>
> Try to set "Send LM & NTLM - use NTLMv2 session security if negotiated"
> in local policies (secpol.msc)
>
> Go to: Local Policies > Security Options
>
> Find "Network Security: LAN Manager authentication level"
>
> Change Setting from "Send NTLMv2 response only"
> to
> "Send LM & NTLM - use NTLMv2 session security if negotiated"
>
> Good luck !
>
>
> Clem
>
> Le 18/04/2012 18:51, Javier Conti a écrit :
> > On 18 April 2012 07:33, Simon Dwyer<[hidden email]>  wrote:
> >> Hi all,
> >>
> >> I have just implemented squid with kerberos + ntlm + basic
> >> authentication.
> >>
> >> I have just been told accessing a sharepoint website on the internet has
> >> stopped working.
> >>
> >> It seems the site is running NTLM authentcation.
> >>
> >> I have wiresharked the traffic on the proxy and can see the request come
> >> in from the client then out to the web server and the NTLM fields are
> >> left in place.
> >>
> >> The sharepoint server is responding with a 401 unauthroized.
> >>
> >> Where would be the next place to start looking?
> > Are you trying with Windows 7 clients? If yes, have you tried with a Windows
> > XP one?
> >
> > I'm facing the same problem (getting Integrated Windows Authentication to
> > work through Squid) and as long as clients are Windows XP it works fine.
> >
> > If this is the case, I can tell you that we already tried to lower the
> > security settings in Windows 7 to something comparable to those of Windows
> > XP but still see differences in behaviour (and still have the problem)...
> >
> > Regards, Javier
> >
> > PS: excuse me OP if the message went through twice, but Andoird doesn't
> > let me send plain text emails and the first one got bounced :(
> >
> >> I am running 3.1.10.
> >>
> >> Thanks all,
> >>
> >> Simon
> >>


Reply | Threaded
Open this post in threaded view
|

Re: Authenticating to sharepoint NTLM

Javier Conti
On 18 April 2012 23:07, Simon Dwyer <[hidden email]> wrote:
> I have seen this problem on a windows 7 and a Fedora 16 machine.  I
> think i can rule out the windows machine for once ;)
>
> I am using FF on the linux machine... is that known to have double ntlm
> issues?

It is known for Windows 7 (I don't know about Linux clients) to behave
differently from Windows XP.

As Clem suggested, there are a few settings that should make 7 behave
similarly to XP. I tried all of them (according to support at least) but
unfortunately, the problem persists.

I would be more than happy to know that someone is successfully doing
Integrated Windows Authentication through Squid with a Windows 7 client!

Regards, Javier

>
> Simon
>
> On Wed, 2012-04-18 at 19:36 +0200, Clem wrote:
>> Hello,
>>
>> Try to set "Send LM & NTLM - use NTLMv2 session security if negotiated"
>> in local policies (secpol.msc)
>>
>> Go to: Local Policies > Security Options
>>
>> Find "Network Security: LAN Manager authentication level"
>>
>> Change Setting from "Send NTLMv2 response only"
>> to
>> "Send LM & NTLM - use NTLMv2 session security if negotiated"
>>
>> Good luck !
>>
>>
>> Clem
>>
>> Le 18/04/2012 18:51, Javier Conti a écrit :
>> > On 18 April 2012 07:33, Simon Dwyer<[hidden email]>  wrote:
>> >> Hi all,
>> >>
>> >> I have just implemented squid with kerberos + ntlm + basic
>> >> authentication.
>> >>
>> >> I have just been told accessing a sharepoint website on the internet has
>> >> stopped working.
>> >>
>> >> It seems the site is running NTLM authentcation.
>> >>
>> >> I have wiresharked the traffic on the proxy and can see the request come
>> >> in from the client then out to the web server and the NTLM fields are
>> >> left in place.
>> >>
>> >> The sharepoint server is responding with a 401 unauthroized.
>> >>
>> >> Where would be the next place to start looking?
>> > Are you trying with Windows 7 clients? If yes, have you tried with a Windows
>> > XP one?
>> >
>> > I'm facing the same problem (getting Integrated Windows Authentication to
>> > work through Squid) and as long as clients are Windows XP it works fine.
>> >
>> > If this is the case, I can tell you that we already tried to lower the
>> > security settings in Windows 7 to something comparable to those of Windows
>> > XP but still see differences in behaviour (and still have the problem)...
>> >
>> > Regards, Javier
>> >
>> > PS: excuse me OP if the message went through twice, but Andoird doesn't
>> > let me send plain text emails and the first one got bounced :(
>> >
>> >> I am running 3.1.10.
>> >>
>> >> Thanks all,
>> >>
>> >> Simon
>> >>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Authenticating to sharepoint NTLM

Simon Dwyer
Hi Javier,

Well you will be glad to know that i am using IWA with windows 7 and its
working great it most part.

by IWA i mean using negotiated kerberos authentication which is what i
think IWA basically is

There are just a few hicckups that happen but that also happens with
NTLM being this issue.  

I also cannot get itunes to use the proxy properly with authentication
due to 100 popups asking for passwords.

I will be working on this sharepoint issue more tomorrow however.

Cheers,

Simon



On Wed, 2012-04-18 at 23:18 +0200, Javier Conti wrote:

> On 18 April 2012 23:07, Simon Dwyer <[hidden email]> wrote:
> > I have seen this problem on a windows 7 and a Fedora 16 machine.  I
> > think i can rule out the windows machine for once ;)
> >
> > I am using FF on the linux machine... is that known to have double ntlm
> > issues?
>
> It is known for Windows 7 (I don't know about Linux clients) to behave
> differently from Windows XP.
>
> As Clem suggested, there are a few settings that should make 7 behave
> similarly to XP. I tried all of them (according to support at least) but
> unfortunately, the problem persists.
>
> I would be more than happy to know that someone is successfully doing
> Integrated Windows Authentication through Squid with a Windows 7 client!
>
> Regards, Javier
>
> >
> > Simon
> >
> > On Wed, 2012-04-18 at 19:36 +0200, Clem wrote:
> >> Hello,
> >>
> >> Try to set "Send LM & NTLM - use NTLMv2 session security if negotiated"
> >> in local policies (secpol.msc)
> >>
> >> Go to: Local Policies > Security Options
> >>
> >> Find "Network Security: LAN Manager authentication level"
> >>
> >> Change Setting from "Send NTLMv2 response only"
> >> to
> >> "Send LM & NTLM - use NTLMv2 session security if negotiated"
> >>
> >> Good luck !
> >>
> >>
> >> Clem
> >>
> >> Le 18/04/2012 18:51, Javier Conti a écrit :
> >> > On 18 April 2012 07:33, Simon Dwyer<[hidden email]>  wrote:
> >> >> Hi all,
> >> >>
> >> >> I have just implemented squid with kerberos + ntlm + basic
> >> >> authentication.
> >> >>
> >> >> I have just been told accessing a sharepoint website on the internet has
> >> >> stopped working.
> >> >>
> >> >> It seems the site is running NTLM authentcation.
> >> >>
> >> >> I have wiresharked the traffic on the proxy and can see the request come
> >> >> in from the client then out to the web server and the NTLM fields are
> >> >> left in place.
> >> >>
> >> >> The sharepoint server is responding with a 401 unauthroized.
> >> >>
> >> >> Where would be the next place to start looking?
> >> > Are you trying with Windows 7 clients? If yes, have you tried with a Windows
> >> > XP one?
> >> >
> >> > I'm facing the same problem (getting Integrated Windows Authentication to
> >> > work through Squid) and as long as clients are Windows XP it works fine.
> >> >
> >> > If this is the case, I can tell you that we already tried to lower the
> >> > security settings in Windows 7 to something comparable to those of Windows
> >> > XP but still see differences in behaviour (and still have the problem)...
> >> >
> >> > Regards, Javier
> >> >
> >> > PS: excuse me OP if the message went through twice, but Andoird doesn't
> >> > let me send plain text emails and the first one got bounced :(
> >> >
> >> >> I am running 3.1.10.
> >> >>
> >> >> Thanks all,
> >> >>
> >> >> Simon
> >> >>
> >
> >


Reply | Threaded
Open this post in threaded view
|

Re: Authenticating to sharepoint NTLM

Javier Conti
On 19 April 2012 00:05, Simon Dwyer <[hidden email]> wrote:
> Hi Javier,
>
> Well you will be glad to know that i am using IWA with windows 7 and its
> working great it most part.
>
> by IWA i mean using negotiated kerberos authentication which is what i
> think IWA basically is

Hi Simon,

I think we're not talking about the "same IWA".I mean IWA as described
for example here [1] or here [2].

If that's what you're actually doing, would you be so kind to post (or send
me off list) a dump of the request/response headers of the Windows 7
successfully doing IWA (going through Squid, obviously)?

Thanks, Javier

[1] http://en.wikipedia.org/wiki/Integrated_Windows_Authentication
[2] http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true

>
> There are just a few hicckups that happen but that also happens with
> NTLM being this issue.
>
> I also cannot get itunes to use the proxy properly with authentication
> due to 100 popups asking for passwords.
>
> I will be working on this sharepoint issue more tomorrow however.
>
> Cheers,
>
> Simon
>
>
>
> On Wed, 2012-04-18 at 23:18 +0200, Javier Conti wrote:
>> On 18 April 2012 23:07, Simon Dwyer <[hidden email]> wrote:
>> > I have seen this problem on a windows 7 and a Fedora 16 machine.  I
>> > think i can rule out the windows machine for once ;)
>> >
>> > I am using FF on the linux machine... is that known to have double ntlm
>> > issues?
>>
>> It is known for Windows 7 (I don't know about Linux clients) to behave
>> differently from Windows XP.
>>
>> As Clem suggested, there are a few settings that should make 7 behave
>> similarly to XP. I tried all of them (according to support at least) but
>> unfortunately, the problem persists.
>>
>> I would be more than happy to know that someone is successfully doing
>> Integrated Windows Authentication through Squid with a Windows 7 client!
>>
>> Regards, Javier
>>
>> >
>> > Simon
>> >
>> > On Wed, 2012-04-18 at 19:36 +0200, Clem wrote:
>> >> Hello,
>> >>
>> >> Try to set "Send LM & NTLM - use NTLMv2 session security if negotiated"
>> >> in local policies (secpol.msc)
>> >>
>> >> Go to: Local Policies > Security Options
>> >>
>> >> Find "Network Security: LAN Manager authentication level"
>> >>
>> >> Change Setting from "Send NTLMv2 response only"
>> >> to
>> >> "Send LM & NTLM - use NTLMv2 session security if negotiated"
>> >>
>> >> Good luck !
>> >>
>> >>
>> >> Clem
>> >>
>> >> Le 18/04/2012 18:51, Javier Conti a écrit :
>> >> > On 18 April 2012 07:33, Simon Dwyer<[hidden email]>  wrote:
>> >> >> Hi all,
>> >> >>
>> >> >> I have just implemented squid with kerberos + ntlm + basic
>> >> >> authentication.
>> >> >>
>> >> >> I have just been told accessing a sharepoint website on the internet has
>> >> >> stopped working.
>> >> >>
>> >> >> It seems the site is running NTLM authentcation.
>> >> >>
>> >> >> I have wiresharked the traffic on the proxy and can see the request come
>> >> >> in from the client then out to the web server and the NTLM fields are
>> >> >> left in place.
>> >> >>
>> >> >> The sharepoint server is responding with a 401 unauthroized.
>> >> >>
>> >> >> Where would be the next place to start looking?
>> >> > Are you trying with Windows 7 clients? If yes, have you tried with a Windows
>> >> > XP one?
>> >> >
>> >> > I'm facing the same problem (getting Integrated Windows Authentication to
>> >> > work through Squid) and as long as clients are Windows XP it works fine.
>> >> >
>> >> > If this is the case, I can tell you that we already tried to lower the
>> >> > security settings in Windows 7 to something comparable to those of Windows
>> >> > XP but still see differences in behaviour (and still have the problem)...
>> >> >
>> >> > Regards, Javier
>> >> >
>> >> > PS: excuse me OP if the message went through twice, but Andoird doesn't
>> >> > let me send plain text emails and the first one got bounced :(
>> >> >
>> >> >> I am running 3.1.10.
>> >> >>
>> >> >> Thanks all,
>> >> >>
>> >> >> Simon
>> >> >>
>> >
>> >
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Authenticating to sharepoint NTLM

Brett Lymn-2
In reply to this post by Javier Conti
On Wed, Apr 18, 2012 at 11:18:05PM +0200, Javier Conti wrote:
>
> It is known for Windows 7 (I don't know about Linux clients) to behave
> differently from Windows XP.
>

If you are using samba for the authentication then perhaps adding:

server signing = auto

to the smb.conf will help.  By default Win 7 uses SMB signing, if you
put this option on then samba will check if SMB signing is being used
and respond appropriately.  This obviates the need for trying to tweak
the Win 7 security settings down which really is a losing proposition
since every time you rebuild the Win 7 client machine you have to remember to
redo the security tweak or your environment may simply not allow you to
adjust these settings.

--
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."


Reply | Threaded
Open this post in threaded view
|

Re: Authenticating to sharepoint NTLM

Javier Conti
On 19 April 2012 02:01, Brett Lymn <[hidden email]> wrote:

> On Wed, Apr 18, 2012 at 11:18:05PM +0200, Javier Conti wrote:
>>
>> It is known for Windows 7 (I don't know about Linux clients) to behave
>> differently from Windows XP.
>>
>
> If you are using samba for the authentication then perhaps adding:
>
> server signing = auto
>
> to the smb.conf will help.  By default Win 7 uses SMB signing, if you
> put this option on then samba will check if SMB signing is being used
> and respond appropriately.  This obviates the need for trying to tweak
> the Win 7 security settings down which really is a losing proposition
> since every time you rebuild the Win 7 client machine you have to remember to
> redo the security tweak or your environment may simply not allow you to
> adjust these settings.

Where should I put this setting? On the Squid server?

In my case, the LAB Squid through which I'm going is at the moment
completely open. By the way, if I try Kerberos, NTLM or plain auth against the
proxy itself, it works fine. It's just Windows 7 against IIS with IWA
through the
proxy that doesn't work. I don't think it's related, unless I'm
missing something...

Regards, Javier

>
> --
> Brett Lymn
> "Warning:
> The information contained in this email and any attached files is
> confidential to BAE Systems Australia. If you are not the intended
> recipient, any use, disclosure or copying of this email or any
> attachments is expressly prohibited.  If you have received this email
> in error, please notify us immediately. VIRUS: Every care has been
> taken to ensure this email and its attachments are virus free,
> however, any loss or damage incurred in using this email is not the
> sender's responsibility.  It is your responsibility to ensure virus
> checks are completed before installing any data sent in this email to
> your computer."
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Authenticating to sharepoint NTLM

Brett Lymn-2
On Thu, Apr 19, 2012 at 02:09:20AM +0200, Javier Conti wrote:
>
> Where should I put this setting? On the Squid server?
>

If you are using samba then the setting goes in the smb.conf, if you are
not using samba to do the NTLM auth then the setting won't help.

--
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."


Reply | Threaded
Open this post in threaded view
|

Re: Authenticating to sharepoint NTLM

Simon Dwyer
In reply to this post by Simon Dwyer
So just disabled authentication on the proxy and the problem still
happens.

If i bypass the proxy i can login correctly but when i set the proxy and
go through without authentication it fails to log in.

Seems squid might be playing with the traffic some how?

Simon

On Wed, 2012-04-18 at 18:47 +0200, Javier Conti wrote:

>
> On Apr 18, 2012 7:34 AM, "Simon Dwyer" <[hidden email]> wrote:
> >
> > Hi all,
> >
> > I have just implemented squid with kerberos + ntlm + basic
> > authentication.
> >
> > I have just been told accessing a sharepoint website on the internet
> has
> > stopped working.
> >
> > It seems the site is running NTLM authentcation.
> >
> > I have wiresharked the traffic on the proxy and can see the request
> come
> > in from the client then out to the web server and the NTLM fields
> are
> > left in place.
> >
> > The sharepoint server is responding with a 401 unauthroized.
> >
> > Where would be the next place to start looking?
>
> Are you trying with Windows 7 clients? If yes, have you tried with a
> Windows XP one?
>
> I'm facing the same problem (getting Integrated Windows Authentication
> to work through Squid) and as long as clients are Windows XP it works
> fine.
>
> If this is the case, I can tell you that we already tried to lower the
> security settings in Windows 7 to something comparable to those of
> Windows XP but still see differences in behaviour (and still have the
> problem)...
>
> Regards, Javier
>
> >
> > I am running 3.1.10.
> >
> > Thanks all,
> >
> > Simon
> >
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Authenticating to sharepoint NTLM

Amos Jeffries
Administrator
In reply to this post by Javier Conti
On 19.04.2012 12:09, Javier Conti wrote:

> On 19 April 2012 02:01, Brett Lymn wrote:
>> On Wed, Apr 18, 2012 at 11:18:05PM +0200, Javier Conti wrote:
>>>
>>> It is known for Windows 7 (I don't know about Linux clients) to
>>> behave
>>> differently from Windows XP.
>>>
>>
>> If you are using samba for the authentication then perhaps adding:
>>
>> server signing = auto
>>
>> to the smb.conf will help.  By default Win 7 uses SMB signing, if
>> you
>> put this option on then samba will check if SMB signing is being
>> used
>> and respond appropriately.  This obviates the need for trying to
>> tweak
>> the Win 7 security settings down which really is a losing
>> proposition
>> since every time you rebuild the Win 7 client machine you have to
>> remember to
>> redo the security tweak or your environment may simply not allow you
>> to
>> adjust these settings.
>
> Where should I put this setting? On the Squid server?
>
> In my case, the LAB Squid through which I'm going is at the moment
> completely open. By the way, if I try Kerberos, NTLM or plain auth
> against the
> proxy itself, it works fine. It's just Windows 7 against IIS with IWA
> through the
> proxy that doesn't work. I don't think it's related, unless I'm
> missing something...
>

IWA and NTLM auth are two different things.

IWA is "just" the API in Windows used to fetch credentials. It defaults
to a minimal security level (NTLMv1 for older Windows 2k etc, NTLMv2 for
Windows XP, Kerberos for Windows 7, etc). But any type of credentials
are available through it, even Basic auth credentials if the Domain is
setup to allow that.

NTLM is a *collection* of a good dozen auth protocols sharing a binary
syntax. They are grouped into four generational types: LM , NTLMv1,
NTLMv2, and Kerberos. With most of the ancient protocol types coming
under "LM" banner. Each version of Windows uses a slightly different
set.

Now, Squid has nothing to do with any of that complex layer beyond
shuffling the WWW-Auth credentials from client to server and pinning the
TCP connections to prevent HTTP multiplexing and pipelining. Possibly
passing to the helpers if its Proxy-Auth. A lot of the actual failure
problems with NTLM hang around persistent connections not working or the
Windows version accepted security levels not overlapping (aka which
sub-protocol is supported).


Given that you have other systems working with NTLM or Kerberos through
the proxy its a good sign that the proxy connections are working and
setup right. BUT, the specific client system is also involved in
connection persistence. If either end is prematurely closing the TCP
links it will all fail badly.
  If that appears to be behaving the same with keep-alive, it is most
likely a NTLM sub-protocol problem. For that you will need to go deep
into a packet trace to figure out which sub-protocol(s) each end of the
client-->server system is offering to use and see where the difference
is.

Amos

Reply | Threaded
Open this post in threaded view
|

RE: Authenticating to sharepoint NTLM

cl00m
How is your squid.conf ? especially your cache_peer line ?

-----Message d'origine-----
De : Amos Jeffries [mailto:[hidden email]]
Envoyé : jeudi 19 avril 2012 04:02
À : [hidden email]
Objet : Re: [squid-users] Authenticating to sharepoint NTLM

On 19.04.2012 12:09, Javier Conti wrote:

> On 19 April 2012 02:01, Brett Lymn wrote:
>> On Wed, Apr 18, 2012 at 11:18:05PM +0200, Javier Conti wrote:
>>>
>>> It is known for Windows 7 (I don't know about Linux clients) to
>>> behave differently from Windows XP.
>>>
>>
>> If you are using samba for the authentication then perhaps adding:
>>
>> server signing = auto
>>
>> to the smb.conf will help.  By default Win 7 uses SMB signing, if you
>> put this option on then samba will check if SMB signing is being used
>> and respond appropriately.  This obviates the need for trying to
>> tweak the Win 7 security settings down which really is a losing
>> proposition since every time you rebuild the Win 7 client machine you
>> have to remember to redo the security tweak or your environment may
>> simply not allow you to adjust these settings.
>
> Where should I put this setting? On the Squid server?
>
> In my case, the LAB Squid through which I'm going is at the moment
> completely open. By the way, if I try Kerberos, NTLM or plain auth
> against the proxy itself, it works fine. It's just Windows 7 against
> IIS with IWA through the proxy that doesn't work. I don't think it's
> related, unless I'm missing something...
>

IWA and NTLM auth are two different things.

IWA is "just" the API in Windows used to fetch credentials. It defaults to a minimal security level (NTLMv1 for older Windows 2k etc, NTLMv2 for Windows XP, Kerberos for Windows 7, etc). But any type of credentials are available through it, even Basic auth credentials if the Domain is setup to allow that.

NTLM is a *collection* of a good dozen auth protocols sharing a binary syntax. They are grouped into four generational types: LM , NTLMv1, NTLMv2, and Kerberos. With most of the ancient protocol types coming under "LM" banner. Each version of Windows uses a slightly different set.

Now, Squid has nothing to do with any of that complex layer beyond shuffling the WWW-Auth credentials from client to server and pinning the TCP connections to prevent HTTP multiplexing and pipelining. Possibly passing to the helpers if its Proxy-Auth. A lot of the actual failure problems with NTLM hang around persistent connections not working or the Windows version accepted security levels not overlapping (aka which sub-protocol is supported).


Given that you have other systems working with NTLM or Kerberos through the proxy its a good sign that the proxy connections are working and setup right. BUT, the specific client system is also involved in connection persistence. If either end is prematurely closing the TCP links it will all fail badly.
  If that appears to be behaving the same with keep-alive, it is most likely a NTLM sub-protocol problem. For that you will need to go deep into a packet trace to figure out which sub-protocol(s) each end of the
client-->server system is offering to use and see where the difference
is.

Amos