Squid not authorize with NTLMv1

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid not authorize with NTLMv1

Thomas_Socomec
This post has NOT been accepted by the mailing list yet.
Dear all,

I am developer of small Embedded systems, and I use the Micrium's HTTPc stack to send data to server.
My problem is that this stack doesn't integrate a proxy manager, so I am developing this part. And I use squid to test my project.
I have no problem with basic authentication, but the NTLMv1 authentication doesn't work (For information it works perfecty with a IIS proxy).

This is what I see :
- I send the Negociate message to Squid.
- Squid answers me with the Challenge message (407). When I decode the data, all seems correct, and I got the challenge key.
- I send the Authenticate message to Squid.
- Squid answers me again with a 407 page, instead of giving me the access to remote server. The answer is :


HTTP/1.1 407 Proxy Authentication Required
Server: squid/3.4.8
Mime-Version: 1.0
Date: Fri, 25 Aug 2017 12:40:38 GMT
Content-Type: text/html
Content-Length: 3383
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: NTLM
X-Cache: MISS from squi-AD
X-Cache-Lookup: NONE from squi-AD:3128
Via: 1.1 squi-AD (squid/3.4.8)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: Cache Access Denied</title>
<style type="text/css"><!-- /* Stylesheet for Squid Error pages Adapted from design by Free CSS Templates http://www.freecsstemplates.org Released for free under a Creative Commons Attribution 2.5 License */ /* Page basics */ * { font-family: verdana, sans-serif; } html body { margin: 0; padding: 0; background: #efefef; font-size: 12px; color: #1e1e1e; } /* Page displayed title area */ #titles { margin-left: 15px; padding: 10px; padding-left: 100px; background: url('http://www.squid-cache.org/Artwork/SN.png') no-repeat left; } /* initial title */ #titles h1 { color: #000000; } #titles h2 { color: #000000; } /* special event: FTP success page titles */ #titles ftpsuccess { background-color:#00ff00; width:100%; } /* Page displayed body content area */ #content { padding: 10px; background: #ffffff; } /* General text */ p { } /* error brief description */ #error p { } /* some data which may have caused the problem */ #data { } /* the error message received from the system or other software */ #sysmsg { } pre { font-family:sans-serif; } /* special event: FTP / Gopher directory listing */ #dirmsg { font-family: courier; color: black; font-size: 10pt; } #dirlisting { margin-left: 2%; margin-right: 2%; } #dirlisting tr.entry td.icon,td.filename,td.size,td.date { border-bottom: groove; } #dirlisting td.size { width: 50px; text-align: right; padding-right: 5px; } /* horizontal lines */ hr { margin: 0; } /* page displayed footer area */ #footer { font-size: 9px; padding-left: 10px; } body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; } --></style></head><body id=ERR_CACHE_ACCESS_DENIED>
<div id="titles">

ERROR

Cache Access Denied.

</div>
<hr>

<div id="content">
<p>The following error was encountered while trying to retrieve the URL: https://94.125.109.116/*</p>

<blockquote id="error">
<p>Cache Access Denied.</p>
</blockquote>

<p>Sorry, you are not currently allowed to request https://94.125.109.116/* from this cache until you have authenticated yourself.</p>

<p>Please contact the cache administrator if you have difficulties authenticating yourself.</p>

<br>
</div>

<hr> 
<div id="footer">
<p>Generated Fri, 25 Aug 2017 12:40:38 GMT by squi-AD (squid/3.4.8)</p>

</div>
</body></html>


What should I use to enable NTLMv1 ? NTLMv1 is maybe deactivated by default, or suppressed ?
Is there a problem with NTLMv1 on my squid's configuration ? Or maybe on the Samba configuration ?

When I try with a computer running windows, I see on wireshark that it uses NTLMv2 to authenticate.

Thank you in advance for your help ...

Thomas
Reply | Threaded
Open this post in threaded view
|

Re: Squid not authorize with NTLMv1

Thomas_Socomec
This post has NOT been accepted by the mailing list yet.
Just for information, I use now these flags on my negotiate message :
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_UNICODE

But I have tried with lots of combinations ...
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
NTLMSSP_NEGOTIATE_VERSION
...

If I look on CNTLM (which is a NTLM client coding in C), I see this flag combination :

if (creds->hashntlm2)
                        flags = 0xa208b205;
                else if (creds->hashnt == 2)
                        flags = 0xa208b207;
                else if (creds->hashnt && creds->hashlm)
                        flags = 0xb207;
                else if (creds->hashnt)
                        flags = 0xb205;
                else if (creds->hashlm)
                        flags = 0xb206;
                else {
                        if (debug) {
                                printf("You're requesting with empty auth_s?!\n");
                                dump_auth(creds);
                        }
                        return 0;

So it seems that I should use in my negociate message 0xb207, which corresponds to :
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_REQUEST_TARGET
NTLM_NEGOTIATE_OEM
NTLMSSP_NEGOTIATE_UNICODE

Squid answer me with its flags, I adapt the authenticate message to these flags, but this is also not working (negotiate OK, authenticate KO).
Reply | Threaded
Open this post in threaded view
|

Re: Squid not authorize with NTLMv1

Thomas_Socomec
This post has NOT been accepted by the mailing list yet.
This is my squid conf :

# Squid a besoin de savoir le nom de la machine, notre machine s’appelle srv-proxy, donc :
visible_hostname squi-AD

# Par défaut le proxy écoute sur ses deux interfaces, pour des soucis de sécurité il faut donc le
# restreindre à écouter sur l’interface du réseau local (LAN)
http_port 192.168.18.202:3128

# Changer la taille du cache de squid, changer la valeur 100 par ce que vous voulez (valeur en Mo)
cache_dir ufs /var/spool/squid3 100 16 256

#################################### ACL ####################################

acl all src all # ACL pour autoriser/refuser tous les réseaux (Source = All) – ACL obligatoire
acl lan src 192.168.18.0/24 # ACL pour autoriser/refuser le réseau 192.168.18.0
acl Safe_ports port 80 # Port HTTP = Port 'sure'
acl Safe_ports port 443 # Port HTTPS = Port 'sure'
acl Safe_ports port 21 # Port FTP = Port 'sure'
############################################################################

# Désactiver tous les protocoles sauf les ports sures
http_access deny !Safe_ports

# Désactiver l'accès pour tous les réseaux sauf les clients de l'ACL Lan
# deny = refuser ; ! = sauf ; lan = nom de l’ACL à laquelle on fait référence.
http_access deny !lan

# Port utilisé par le Proxy :
# Le port indiqué ici, devra être celui qui est précisé dans votre navigateur.
http_port 3128

# On déclare le programme qui gère l'authentification :
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive off

#auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
#auth_param basic children 5
#auth_param basic realm SOCOMEC
#auth_param basic credentialsttl 2 hours

# Grâce à cette ACL, le Proxy demandera une authentification
acl ntlm proxy_auth REQUIRED

# Refuser l'accès à tous les utilisateurs sauf ceux du fichier Utilisateurs
http_access allow ntlm

debug_options 0

And my samba conf :

[global]
   workgroup = SOCOMEC
   realm = SOCOMEC.TEST
   security = ads
   encrypt passwords = yes

   password server = AD-SRV.SOCOMEC.TEST

   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum groups = yes
   winbind enum users = yes
   winbind use default domain = yes


Reply | Threaded
Open this post in threaded view
|

Re: Squid not authorize with NTLMv1

Thomas_Socomec
This post has NOT been accepted by the mailing list yet.
Hello,
Nobody can help me to make Squid working with my device ?
If you have any idea, I can test it right now !
Thomas