Problems with NTLM authentication

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Problems with NTLM authentication

Verónica Ovando
My Squid Version:  Squid 3.4.8

OS Version:  Debian 8

I have installed Squid on a server using Debian 8 and seem to have the basics operating, at least when I start the squid service, I have am no longer getting any error messages.  At this time, the goal is to authenticate users from Active Directory and log the user and the websites they are accessing.

I followed the official guide http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm. I verified that samba is properly configured, as the guide suggest, with the basic helper in this way:

# /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
domain\user pass
OK

Here is a part of my squid.conf where I defined my ACLs for the groups in AD:

========================================================================================================
auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.com
auth_param ntlm children 30

auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Servidor proxy-cache de mi Dominio
auth_param basic credentialsttl 2 hours

external_acl_type AD_Grupos ttl=10 children=10 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl -d

acl AD_Standard external Grupos_AD Standard
acl AD_Exceptuados external Grupos_AD Exceptuados
acl AD_Bloqueados external Grupos_AD Bloqueados
 
acl face url_regex -i "/etc/squid3/facebook"
acl gob url_regex -i "/etc/squid3/gubernamentales"

http_access allow AD_Standard
http_access allow AD_Exceptuados !face !gob
http_access deny AD_Bloqueados
========================================================================================================

I tested using only the basic scheme (I commented the lines out for NTLM auth) and every time I open the browser it asks me my user and pass. And it works well because I can see in the access.log my username and all the access policies defined are correctly applied.

But if I use NTLM auth, the browser still shows me the pop-up (it must no be shown) and if I enter my user and pass it still asks me for them until I cancel it.

My access.log, in that case, shows a TCP_DENIED/407 as expected.

What could be the problem? It suppose that both Kerberos and NTLM protocols work together, I mean that can live together in the same environment and Kerberos is used by default. How can I check that NTLM is really working? Could it be a squid problem in the conf? Or maybe AD is not allowing NTLM traffic?

Sorry for my English. Thanks in advance.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Problems with NTLM authentication

brendan
On 11/24/2015 10:08 AM, Verónica Ovando wrote:

> My Squid Version:  Squid 3.4.8
>
> OS Version:  Debian 8
>
> I have installed Squid on a server using Debian 8 and seem to have the
> basics operating, at least when I start the squid service, I have am
> no longer getting any error messages.  At this time, the goal is to
> authenticate users from Active Directory and log the user and the
> websites they are accessing.
>
> I followed the official guide
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm. I
> verified that samba is properly configured, as the guide suggest, with
> the basic helper in this way:
>
> # /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> domain\user pass
> OK
>
> Here is a part of my squid.conf where I defined my ACLs for the groups
> in AD:
>
> ========================================================================================================
>
> auth_param ntlm program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.com
> auth_param ntlm children 30
>
> auth_param basic program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Servidor proxy-cache de mi Dominio
> auth_param basic credentialsttl 2 hours
>
> external_acl_type AD_Grupos ttl=10 children=10 %LOGIN
> /usr/lib/squid3/ext_wbinfo_group_acl -d
>
> acl AD_Standard external Grupos_AD Standard
> acl AD_Exceptuados external Grupos_AD Exceptuados
> acl AD_Bloqueados external Grupos_AD Bloqueados
>
> acl face url_regex -i "/etc/squid3/facebook"
> acl gob url_regex -i "/etc/squid3/gubernamentales"
>
> http_access allow AD_Standard
> http_access allow AD_Exceptuados !face !gob
> http_access deny AD_Bloqueados
> ========================================================================================================
>
>
> I tested using only the basic scheme (I commented the lines out for
> NTLM auth) and every time I open the browser it asks me my user and
> pass. And it works well because I can see in the access.log my
> username and all the access policies defined are correctly applied.
>
> But if I use NTLM auth, the browser still shows me the pop-up (it must
> no be shown) and if I enter my user and pass it still asks me for them
> until I cancel it.
>
> My access.log, in that case, shows a TCP_DENIED/407 as expected.
>
> What could be the problem? It suppose that both Kerberos and NTLM
> protocols work together, I mean that can live together in the same
> environment and Kerberos is used by default. How can I check that NTLM
> is really working? Could it be a squid problem in the conf? Or maybe
> AD is not allowing NTLM traffic?
>
> Sorry for my English. Thanks in advance.
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
make sure Internet Explorer is set to use Integrated Windows
Authentication (IWA).  Tools --> Internet Options --> Advanced -->
Security --> Enable Integrated Windows Authentication.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Problems with NTLM authentication

Amos Jeffries
Administrator
On 25/11/2015 4:44 a.m., Brendan Kearney wrote:

> On 11/24/2015 10:08 AM, Verónica Ovando wrote:
>> My Squid Version:  Squid 3.4.8
>>
>> OS Version:  Debian 8
>>
>> I have installed Squid on a server using Debian 8 and seem to have the
>> basics operating, at least when I start the squid service, I have am
>> no longer getting any error messages.  At this time, the goal is to
>> authenticate users from Active Directory and log the user and the
>> websites they are accessing.

Please ensure you run "squid3 -k parse" to check if there is anything
minor still potentially being a problem. I doubt it will help with the
current issue, but you may find some things to make it work more smoothly.

>>
>> I followed the official guide
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm. I
>> verified that samba is properly configured, as the guide suggest, with
>> the basic helper in this way:
>>
>> # /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
>> domain\user pass
>> OK
>>
>> Here is a part of my squid.conf where I defined my ACLs for the groups
>> in AD:
>>
>> ========================================================================================================
>>
>> auth_param ntlm program /usr/local/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.com
>> auth_param ntlm children 30

Try also using:
  auth_param ntlm keepalive off

>>
>> auth_param basic program /usr/local/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 5
>> auth_param basic realm Servidor proxy-cache de mi Dominio
>> auth_param basic credentialsttl 2 hours
>>
>> external_acl_type AD_Grupos ttl=10 children=10 %LOGIN
>> /usr/lib/squid3/ext_wbinfo_group_acl -d
>>
>> acl AD_Standard external Grupos_AD Standard
>> acl AD_Exceptuados external Grupos_AD Exceptuados
>> acl AD_Bloqueados external Grupos_AD Bloqueados
>>
>> acl face url_regex -i "/etc/squid3/facebook"
>> acl gob url_regex -i "/etc/squid3/gubernamentales"
>>
>> http_access allow AD_Standard
>> http_access allow AD_Exceptuados !face !gob
>> http_access deny AD_Bloqueados
>> ========================================================================================================
>>
>>
>> I tested using only the basic scheme (I commented the lines out for
>> NTLM auth) and every time I open the browser it asks me my user and
>> pass. And it works well because I can see in the access.log my
>> username and all the access policies defined are correctly applied.
>>

Good.

>> But if I use NTLM auth, the browser still shows me the pop-up (it must
>> no be shown) and if I enter my user and pass it still asks me for them
>> until I cancel it.
>>
>> My access.log, in that case, shows a TCP_DENIED/407 as expected.

It should show one with Basic, and two with NTLM. Always.

The popup and 407 are different things.

* The 407 means the client is behaving and not broadcasting credentials
everywhere. Also Squid is now informing it that they do need to be sent
on this connection, using the Basic or NTLM schema.

* The popup means the browser was unable to find credentials to answer
the 407 with. If some were sent earlier the proxy rejected them.

 ... that includes the proxy rejecting via "deny AD_Bloqueados". Users
in group Bloqueados may be prompted for a popup until they enter
somebody elses credentials, who is not in that group.
Add " all" to the right hand end of the "deny AD_Bloqueados" line to
prevent that.


>>
>> What could be the problem? It suppose that both Kerberos and NTLM
>> protocols work together, I mean that can live together in the same
>> environment and Kerberos is used by default.

You have not configued your Squid to offer Kerberos. Therefore it is not
an option the client can choose, and not part of the equation.

If the client is new enough software with no NTLM support. eg most MS
software written since Vista / ~2008. Then lack of Kerberos may be the
problem. In which case it should use the Basic.

If the client is pre-empting the initial 407, by sending Kerberos
credentials. Broken.

FYI: Basic authentication is ironically more secure than NTLM these
days. Even the "secure" NTLMv2 extensions can now be decrypted given a
few hours. At least with Basic the software handling it assumes
insecurity and does necessary paranoid things to protect the credentials
- most NTLM software does not.


>> How can I check that NTLM
>> is really working? Could it be a squid problem in the conf? Or maybe
>> AD is not allowing NTLM traffic?

NTLM does not work. It was designed broken. (sorry, joke. But not far
from the truth).

>>
>> Sorry for my English. Thanks in advance.
>>

> make sure Internet Explorer is set to use Integrated Windows
> Authentication (IWA).  Tools --> Internet Options --> Advanced -->
> Security --> Enable Integrated Windows Authentication.

And be aware that sometimes random software on the machine will do
automated HTTP requests to the proxy using the machines own AD account
credentials. Not a "user" account.

Also use a line that does authentication explicity before checking the
group access. NTLM badly violates HTTP requirements and some of the
older Squid bugs can result in problems when external ACL %LOGIN is the
trigger behind authentication happening.

What I mean is using:

 acl login proxy_auth REQUIRED
 http_access deny !login

 http_access allow AD_Standard
 http_access allow AD_Exceptuados !face !gob
 http_access deny AD_Bloqueados all

Even if it is not strictly necessary, it will clarify exactly what point
authentication happens and eliminates those bug side effects from being
a worry.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Problems with NTLM authentication

Amos Jeffries
Administrator
On 27/11/2015 1:22 a.m., Verónica Ovando wrote:

> Amos, thanks for your help.
>
> I followed carefully every suggestion you gave me. And the problem
> persists.
>
> I rebuilt the cache, checked that IE has IWA enabled and added the lines
> in the squid.conf but that change did not clarify me the problem.
>
> My environment is a Windows Server 2008 Active Directory and the clients
> are Windows 7 majority with IE8.
>
> I extracted some lines from the cache.log, here they are:
> http://pastebin.com/3YrzL62Q
>
> In line 24 there is an error message: ERROR: NTLM Authentication
> validating user. Result: {result=BH, notes={message: NT_STATUS_UN
> SUCCESSFUL NT_STATUS_UNSUCCESSFUL; }} When the pop up appears, I try
> (with no luck of course) to authenticate with my AD account, but it
> fails, even when it belongs to group AD_Standard and the ACL defined for
> it is http_access allow AD_Standard.

This might be your problem:
<http://r.git.net/general/2014-07/msg17028.html>

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users