microsoft edge and proxy auth not working

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

microsoft edge and proxy auth not working

Rietzler, Markus (RZF, SG 324 / <RIETZLER_SOFTWARE>)
we have some windows 10 clients using microsoft edge browser.
access to internet is only allowed for authenticated users. we are using samba/winbind auth

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 64 startup=24 idle=12
auth_param ntlm keep_alive on
acl auth_user proxy_auth REQUIRED

on windows 10 clients with IE11 it is working (with ntlm automatic auth) on the same machine, with Microsoft edge I get TCP_Denied/407 message. seems I only get one single TCP_DENIED/407 line in accesslog and an auth dialog pops up. I have disabled basic auth via ntlm.
shouldn't there be 3 lines for proxy auth? with IE11 I see those three lines (2x TCP_DENIED/407 and 1x TCP_MISS/200), no popup at all.

winbind/samba itself seems to work, as I can do an user auth against apache with winbind/samba - even over some squid proxies with connection-auth allowed. but not for proxy-auth.
is there any option in squid.conf which prevents Edge to do a successful auth?


http://www.wuppertal-live.de/A0.gif
Mit freundlichen Grüßen

Markus Rietzler

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: microsoft edge and proxy auth not working

Rietzler, Markus (RZF, SG 324 / <RIETZLER_SOFTWARE>)
i should add that we are using squid 3.5.24.


> -----Ursprüngliche Nachricht-----
> Von: squid-users [mailto:[hidden email]] Im
> Auftrag von Rietzler, Markus (RZF, Aufg 324 / <RIETZLER_SOFTWARE>)
> Gesendet: Mittwoch, 8. März 2017 11:26
> An: [hidden email]
> Betreff: [squid-users] microsoft edge and proxy auth not working
>
> we have some windows 10 clients using microsoft edge browser.
> access to internet is only allowed for authenticated users. we are using
> samba/winbind auth
>
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-
> ntlmssp
> auth_param ntlm children 64 startup=24 idle=12
> auth_param ntlm keep_alive on
> acl auth_user proxy_auth REQUIRED
>
> on windows 10 clients with IE11 it is working (with ntlm automatic auth)
> on the same machine, with Microsoft edge I get TCP_Denied/407 message.
> seems I only get one single TCP_DENIED/407 line in accesslog and an auth
> dialog pops up. I have disabled basic auth via ntlm.
> shouldn't there be 3 lines for proxy auth? with IE11 I see those three
> lines (2x TCP_DENIED/407 and 1x TCP_MISS/200), no popup at all.
>
> winbind/samba itself seems to work, as I can do an user auth against
> apache with winbind/samba - even over some squid proxies with
> connection-auth allowed. but not for proxy-auth.
> is there any option in squid.conf which prevents Edge to do a successful
> auth?
>
>
> http://www.wuppertal-live.de/A0.gif
> Mit freundlichen Grüßen
>
> Markus Rietzler
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: microsoft edge and proxy auth not working

Amos Jeffries
Administrator
On 8/03/2017 11:28 p.m., Rietzler, Markus (RZF, Aufg 324 /
<RIETZLER_SOFTWARE>) wrote:
> i should add that we are using squid 3.5.24.
>

Try with "auth_param ntlm keep_alive off". Recently the browsers have
been needing that.

Though frankly I am surprised if Edge supports NTLM at all. It was
deprecated in April 2006 and MS announced removal was being actively
pushed in all thier software since Win7.

>
>> -----Ursprüngliche Nachricht-----
>> Von: Rietzler, Markus
>>
>> we have some windows 10 clients using microsoft edge browser.
>> access to internet is only allowed for authenticated users. we are using
>> samba/winbind auth
>>
>> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-
>> ntlmssp
>> auth_param ntlm children 64 startup=24 idle=12
>> auth_param ntlm keep_alive on
>> acl auth_user proxy_auth REQUIRED
>>
>> on windows 10 clients with IE11 it is working (with ntlm automatic auth)
>> on the same machine, with Microsoft edge I get TCP_Denied/407 message.
>> seems I only get one single TCP_DENIED/407 line in accesslog and an auth
>> dialog pops up. I have disabled basic auth via ntlm.
>> shouldn't there be 3 lines for proxy auth? with IE11 I see those three
>> lines (2x TCP_DENIED/407 and 1x TCP_MISS/200), no popup at all.

Not specifically. There should be 1+ for NTLM. Success with NTLM shows
2+. Failure shows 1 or 3 or infinite loop (hello Safari and Firefox 30-ish).


>>
>> winbind/samba itself seems to work, as I can do an user auth against
>> apache with winbind/samba - even over some squid proxies with
>> connection-auth allowed. but not for proxy-auth.
>> is there any option in squid.conf which prevents Edge to do a successful
>> auth?

If other software succeeds then the only thing that might be related is
the keep-alive option mentioned above. Otherwise the problem is in Edge
itself.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: microsoft edge and proxy auth not working

Rafael Akchurin
Hello Amos, Markus, all,

Just as a side note - I also suffered  from this error sometime before with Edge and our custom NTLM relay to domain controllers (run as auth helper by Squid). The strange thing it went away after installing some (unknown) Windows update.

I do have the "auth_param ntlm keep_alive off" in the config though.

It all makes me quite suspicious the error was/is in Edge or in my curly hands.

Best regards,
Rafael Akchurin
Diladele B.V.

-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Thursday, March 9, 2017 5:12 PM
To: [hidden email]
Subject: Re: [squid-users] microsoft edge and proxy auth not working

On 8/03/2017 11:28 p.m., Rietzler, Markus (RZF, Aufg 324 /
<RIETZLER_SOFTWARE>) wrote:
> i should add that we are using squid 3.5.24.
>

Try with "auth_param ntlm keep_alive off". Recently the browsers have been needing that.

Though frankly I am surprised if Edge supports NTLM at all. It was deprecated in April 2006 and MS announced removal was being actively pushed in all thier software since Win7.

>
>> -----Ursprüngliche Nachricht-----
>> Von: Rietzler, Markus
>>
>> we have some windows 10 clients using microsoft edge browser.
>> access to internet is only allowed for authenticated users. we are
>> using samba/winbind auth
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5- ntlmssp auth_param ntlm children 64
>> startup=24 idle=12 auth_param ntlm keep_alive on acl auth_user
>> proxy_auth REQUIRED
>>
>> on windows 10 clients with IE11 it is working (with ntlm automatic
>> auth) on the same machine, with Microsoft edge I get TCP_Denied/407 message.
>> seems I only get one single TCP_DENIED/407 line in accesslog and an
>> auth dialog pops up. I have disabled basic auth via ntlm.
>> shouldn't there be 3 lines for proxy auth? with IE11 I see those
>> three lines (2x TCP_DENIED/407 and 1x TCP_MISS/200), no popup at all.

Not specifically. There should be 1+ for NTLM. Success with NTLM shows
2+. Failure shows 1 or 3 or infinite loop (hello Safari and Firefox 30-ish).


>>
>> winbind/samba itself seems to work, as I can do an user auth against
>> apache with winbind/samba - even over some squid proxies with
>> connection-auth allowed. but not for proxy-auth.
>> is there any option in squid.conf which prevents Edge to do a
>> successful auth?

If other software succeeds then the only thing that might be related is the keep-alive option mentioned above. Otherwise the problem is in Edge itself.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: microsoft edge and proxy auth not working

Mike Surcouf
Hi Rafael

Is there any reason you can't use Kerberos.
Note you will need to create a keytab but the setup is not that hard and in the docs.
I use it very successfully on window AD network.

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
auth_param negotiate children 20
auth_param negotiate keep_alive on

Thanks

Mike

-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Rafael Akchurin
Sent: 09 March 2017 17:01
To: Amos Jeffries; [hidden email]
Subject: Re: [squid-users] microsoft edge and proxy auth not working

Hello Amos, Markus, all,

Just as a side note - I also suffered  from this error sometime before with Edge and our custom NTLM relay to domain controllers (run as auth helper by Squid). The strange thing it went away after installing some (unknown) Windows update.

I do have the "auth_param ntlm keep_alive off" in the config though.

It all makes me quite suspicious the error was/is in Edge or in my curly hands.

Best regards,
Rafael Akchurin
Diladele B.V.

-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Thursday, March 9, 2017 5:12 PM
To: [hidden email]
Subject: Re: [squid-users] microsoft edge and proxy auth not working

On 8/03/2017 11:28 p.m., Rietzler, Markus (RZF, Aufg 324 /
<RIETZLER_SOFTWARE>) wrote:
> i should add that we are using squid 3.5.24.
>

Try with "auth_param ntlm keep_alive off". Recently the browsers have been needing that.

Though frankly I am surprised if Edge supports NTLM at all. It was deprecated in April 2006 and MS announced removal was being actively pushed in all thier software since Win7.

>
>> -----Ursprüngliche Nachricht-----
>> Von: Rietzler, Markus
>>
>> we have some windows 10 clients using microsoft edge browser.
>> access to internet is only allowed for authenticated users. we are
>> using samba/winbind auth
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5- ntlmssp auth_param ntlm children 64
>> startup=24 idle=12 auth_param ntlm keep_alive on acl auth_user
>> proxy_auth REQUIRED
>>
>> on windows 10 clients with IE11 it is working (with ntlm automatic
>> auth) on the same machine, with Microsoft edge I get TCP_Denied/407 message.
>> seems I only get one single TCP_DENIED/407 line in accesslog and an
>> auth dialog pops up. I have disabled basic auth via ntlm.
>> shouldn't there be 3 lines for proxy auth? with IE11 I see those
>> three lines (2x TCP_DENIED/407 and 1x TCP_MISS/200), no popup at all.

Not specifically. There should be 1+ for NTLM. Success with NTLM shows
2+. Failure shows 1 or 3 or infinite loop (hello Safari and Firefox 30-ish).


>>
>> winbind/samba itself seems to work, as I can do an user auth against
>> apache with winbind/samba - even over some squid proxies with
>> connection-auth allowed. but not for proxy-auth.
>> is there any option in squid.conf which prevents Edge to do a
>> successful auth?

If other software succeeds then the only thing that might be related is the keep-alive option mentioned above. Otherwise the problem is in Edge itself.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: microsoft edge and proxy auth not working

Rafael Akchurin
Hello Mike,

I specifically was debugging our NTLM implementation with Edge :)

Kerberos works just fine, you are correct.

Best regards,
Rafael Akchurin

> Op 9 mrt. 2017 om 18:57 heeft Mike Surcouf <[hidden email]> het volgende geschreven:
>
> Hi Rafael
>
> Is there any reason you can't use Kerberos.
> Note you will need to create a keytab but the setup is not that hard and in the docs.
> I use it very successfully on window AD network.
>
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
> auth_param negotiate children 20
> auth_param negotiate keep_alive on
>
> Thanks
>
> Mike
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]] On Behalf Of Rafael Akchurin
> Sent: 09 March 2017 17:01
> To: Amos Jeffries; [hidden email]
> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>
> Hello Amos, Markus, all,
>
> Just as a side note - I also suffered  from this error sometime before with Edge and our custom NTLM relay to domain controllers (run as auth helper by Squid). The strange thing it went away after installing some (unknown) Windows update.
>
> I do have the "auth_param ntlm keep_alive off" in the config though.
>
> It all makes me quite suspicious the error was/is in Edge or in my curly hands.
>
> Best regards,
> Rafael Akchurin
> Diladele B.V.
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
> Sent: Thursday, March 9, 2017 5:12 PM
> To: [hidden email]
> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>
> On 8/03/2017 11:28 p.m., Rietzler, Markus (RZF, Aufg 324 /
> <RIETZLER_SOFTWARE>) wrote:
>> i should add that we are using squid 3.5.24.
>>
>
> Try with "auth_param ntlm keep_alive off". Recently the browsers have been needing that.
>
> Though frankly I am surprised if Edge supports NTLM at all. It was deprecated in April 2006 and MS announced removal was being actively pushed in all thier software since Win7.
>
>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Rietzler, Markus
>>>
>>> we have some windows 10 clients using microsoft edge browser.
>>> access to internet is only allowed for authenticated users. we are
>>> using samba/winbind auth
>>>
>>> auth_param ntlm program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5- ntlmssp auth_param ntlm children 64
>>> startup=24 idle=12 auth_param ntlm keep_alive on acl auth_user
>>> proxy_auth REQUIRED
>>>
>>> on windows 10 clients with IE11 it is working (with ntlm automatic
>>> auth) on the same machine, with Microsoft edge I get TCP_Denied/407 message.
>>> seems I only get one single TCP_DENIED/407 line in accesslog and an
>>> auth dialog pops up. I have disabled basic auth via ntlm.
>>> shouldn't there be 3 lines for proxy auth? with IE11 I see those
>>> three lines (2x TCP_DENIED/407 and 1x TCP_MISS/200), no popup at all.
>
> Not specifically. There should be 1+ for NTLM. Success with NTLM shows
> 2+. Failure shows 1 or 3 or infinite loop (hello Safari and Firefox 30-ish).
>
>
>>>
>>> winbind/samba itself seems to work, as I can do an user auth against
>>> apache with winbind/samba - even over some squid proxies with
>>> connection-auth allowed. but not for proxy-auth.
>>> is there any option in squid.conf which prevents Edge to do a
>>> successful auth?
>
> If other software succeeds then the only thing that might be related is the keep-alive option mentioned above. Otherwise the problem is in Edge itself.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: microsoft edge and proxy auth not working

Mike Surcouf
Ah OK sorry
I am curious why you have a reason to use NTLM over Kerberos? :-)

-----Original Message-----
From: Rafael Akchurin [mailto:[hidden email]]
Sent: 09 March 2017 18:01
To: Mike Surcouf
Cc: Amos Jeffries; [hidden email]
Subject: Re: [squid-users] microsoft edge and proxy auth not working

Hello Mike,

I specifically was debugging our NTLM implementation with Edge :)

Kerberos works just fine, you are correct.

Best regards,
Rafael Akchurin

> Op 9 mrt. 2017 om 18:57 heeft Mike Surcouf <[hidden email]> het volgende geschreven:
>
> Hi Rafael
>
> Is there any reason you can't use Kerberos.
> Note you will need to create a keytab but the setup is not that hard and in the docs.
> I use it very successfully on window AD network.
>
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
> auth_param negotiate children 20
> auth_param negotiate keep_alive on
>
> Thanks
>
> Mike
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]]
> On Behalf Of Rafael Akchurin
> Sent: 09 March 2017 17:01
> To: Amos Jeffries; [hidden email]
> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>
> Hello Amos, Markus, all,
>
> Just as a side note - I also suffered  from this error sometime before with Edge and our custom NTLM relay to domain controllers (run as auth helper by Squid). The strange thing it went away after installing some (unknown) Windows update.
>
> I do have the "auth_param ntlm keep_alive off" in the config though.
>
> It all makes me quite suspicious the error was/is in Edge or in my curly hands.
>
> Best regards,
> Rafael Akchurin
> Diladele B.V.
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]]
> On Behalf Of Amos Jeffries
> Sent: Thursday, March 9, 2017 5:12 PM
> To: [hidden email]
> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>
> On 8/03/2017 11:28 p.m., Rietzler, Markus (RZF, Aufg 324 /
> <RIETZLER_SOFTWARE>) wrote:
>> i should add that we are using squid 3.5.24.
>>
>
> Try with "auth_param ntlm keep_alive off". Recently the browsers have been needing that.
>
> Though frankly I am surprised if Edge supports NTLM at all. It was deprecated in April 2006 and MS announced removal was being actively pushed in all thier software since Win7.
>
>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Rietzler, Markus
>>>
>>> we have some windows 10 clients using microsoft edge browser.
>>> access to internet is only allowed for authenticated users. we are
>>> using samba/winbind auth
>>>
>>> auth_param ntlm program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5- ntlmssp auth_param ntlm children 64
>>> startup=24 idle=12 auth_param ntlm keep_alive on acl auth_user
>>> proxy_auth REQUIRED
>>>
>>> on windows 10 clients with IE11 it is working (with ntlm automatic
>>> auth) on the same machine, with Microsoft edge I get TCP_Denied/407 message.
>>> seems I only get one single TCP_DENIED/407 line in accesslog and an
>>> auth dialog pops up. I have disabled basic auth via ntlm.
>>> shouldn't there be 3 lines for proxy auth? with IE11 I see those
>>> three lines (2x TCP_DENIED/407 and 1x TCP_MISS/200), no popup at all.
>
> Not specifically. There should be 1+ for NTLM. Success with NTLM shows
> 2+. Failure shows 1 or 3 or infinite loop (hello Safari and Firefox 30-ish).
>
>
>>>
>>> winbind/samba itself seems to work, as I can do an user auth against
>>> apache with winbind/samba - even over some squid proxies with
>>> connection-auth allowed. but not for proxy-auth.
>>> is there any option in squid.conf which prevents Edge to do a
>>> successful auth?
>
> If other software succeeds then the only thing that might be related is the keep-alive option mentioned above. Otherwise the problem is in Edge itself.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: microsoft edge and proxy auth not working

Rafael Akchurin
The thing is, when you got some machines in your network which are not joined to the domain (think apple, linux) you still need NTLM support on proxy :(

And having full blown Samba just because of those few is too much of admin's hassle - so we had to write NTLM relay that would rebind to domain controller with LDAP protocol passing NTLM token back and forth.

Joining Squid proxy to the domain (which is required to authenticate using Samba/NTLM) also prevents from successful reverts from vm snapshots after 30 days and requires rejoin - thus preventing us from creating easily provisioned/thrown away scalable web filter / proxy instances (think docker).

Best regards,
Rafael Akchurin

> Op 9 mrt. 2017 om 19:09 heeft Mike Surcouf <[hidden email]> het volgende geschreven:
>
> Ah OK sorry
> I am curious why you have a reason to use NTLM over Kerberos? :-)
>
> -----Original Message-----
> From: Rafael Akchurin [mailto:[hidden email]]
> Sent: 09 March 2017 18:01
> To: Mike Surcouf
> Cc: Amos Jeffries; [hidden email]
> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>
> Hello Mike,
>
> I specifically was debugging our NTLM implementation with Edge :)
>
> Kerberos works just fine, you are correct.
>
> Best regards,
> Rafael Akchurin
>
>> Op 9 mrt. 2017 om 18:57 heeft Mike Surcouf <[hidden email]> het volgende geschreven:
>>
>> Hi Rafael
>>
>> Is there any reason you can't use Kerberos.
>> Note you will need to create a keytab but the setup is not that hard and in the docs.
>> I use it very successfully on window AD network.
>>
>> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
>> auth_param negotiate children 20
>> auth_param negotiate keep_alive on
>>
>> Thanks
>>
>> Mike
>>
>> -----Original Message-----
>> From: squid-users [mailto:[hidden email]]
>> On Behalf Of Rafael Akchurin
>> Sent: 09 March 2017 17:01
>> To: Amos Jeffries; [hidden email]
>> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>>
>> Hello Amos, Markus, all,
>>
>> Just as a side note - I also suffered  from this error sometime before with Edge and our custom NTLM relay to domain controllers (run as auth helper by Squid). The strange thing it went away after installing some (unknown) Windows update.
>>
>> I do have the "auth_param ntlm keep_alive off" in the config though.
>>
>> It all makes me quite suspicious the error was/is in Edge or in my curly hands.
>>
>> Best regards,
>> Rafael Akchurin
>> Diladele B.V.
>>
>> -----Original Message-----
>> From: squid-users [mailto:[hidden email]]
>> On Behalf Of Amos Jeffries
>> Sent: Thursday, March 9, 2017 5:12 PM
>> To: [hidden email]
>> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>>
>> On 8/03/2017 11:28 p.m., Rietzler, Markus (RZF, Aufg 324 /
>> <RIETZLER_SOFTWARE>) wrote:
>>> i should add that we are using squid 3.5.24.
>>>
>>
>> Try with "auth_param ntlm keep_alive off". Recently the browsers have been needing that.
>>
>> Though frankly I am surprised if Edge supports NTLM at all. It was deprecated in April 2006 and MS announced removal was being actively pushed in all thier software since Win7.
>>
>>>
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: Rietzler, Markus
>>>>
>>>> we have some windows 10 clients using microsoft edge browser.
>>>> access to internet is only allowed for authenticated users. we are
>>>> using samba/winbind auth
>>>>
>>>> auth_param ntlm program /usr/bin/ntlm_auth
>>>> --helper-protocol=squid-2.5- ntlmssp auth_param ntlm children 64
>>>> startup=24 idle=12 auth_param ntlm keep_alive on acl auth_user
>>>> proxy_auth REQUIRED
>>>>
>>>> on windows 10 clients with IE11 it is working (with ntlm automatic
>>>> auth) on the same machine, with Microsoft edge I get TCP_Denied/407 message.
>>>> seems I only get one single TCP_DENIED/407 line in accesslog and an
>>>> auth dialog pops up. I have disabled basic auth via ntlm.
>>>> shouldn't there be 3 lines for proxy auth? with IE11 I see those
>>>> three lines (2x TCP_DENIED/407 and 1x TCP_MISS/200), no popup at all.
>>
>> Not specifically. There should be 1+ for NTLM. Success with NTLM shows
>> 2+. Failure shows 1 or 3 or infinite loop (hello Safari and Firefox 30-ish).
>>
>>
>>>>
>>>> winbind/samba itself seems to work, as I can do an user auth against
>>>> apache with winbind/samba - even over some squid proxies with
>>>> connection-auth allowed. but not for proxy-auth.
>>>> is there any option in squid.conf which prevents Edge to do a
>>>> successful auth?
>>
>> If other software succeeds then the only thing that might be related is the keep-alive option mentioned above. Otherwise the problem is in Edge itself.
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: microsoft edge and proxy auth not working

brendan
adding this back to the mailing list, for the benefit of those who
search for it.

i do not have simple and easy to use instructions for mac os x and linux
participation in AD.  it is not a simple task.  on linux, you will need
to look into SSSD (Simple Security Services Daemon) and understand that
process.

i have a mac for work, and it is a domain member object, so i know it
can be done.  i dont know how it is done, and would think there are
internet articles that you can search for on the subject.

On 03/09/2017 02:13 PM, Rafael Akchurin wrote:

> Hello Brendan,
>
> Yes by default we have NTLM disabled :)
>
> Unfortunately we must keep the proxy solution in parity with DC capabilities in AD which luckily still support NTLM authentication through LDAP.
>
> This allows us to relay the tokens without Samba as I described in previous mail.
>
> BTW if you could share the ready to use (simple) instructions to have Kerberous auth supported ftom Mac/iPhone/iPad and Linux (Ubuntu/CentOS) it would be beneficial to all.
>
> Best regards,
> Rafael Akchurin
>
>> Op 9 mrt. 2017 om 19:47 heeft Brendan Kearney <[hidden email]> het volgende geschreven:
>>
>>> On 03/09/2017 01:17 PM, Rafael Akchurin wrote:
>>> The thing is, when you got some machines in your network which are not joined to the domain (think apple, linux) you still need NTLM support on proxy :(
>>>
>>> And having full blown Samba just because of those few is too much of admin's hassle - so we had to write NTLM relay that would rebind to domain controller with LDAP protocol passing NTLM token back and forth.
>>>
>>> Joining Squid proxy to the domain (which is required to authenticate using Samba/NTLM) also prevents from successful reverts from vm snapshots after 30 days and requires rejoin - thus preventing us from creating easily provisioned/thrown away scalable web filter / proxy instances (think docker).
>>>
>>> Best regards,
>>> Rafael Akchurin
>>>
>>>> Op 9 mrt. 2017 om 19:09 heeft Mike Surcouf <[hidden email]> het volgende geschreven:
>>>>
>>>> Ah OK sorry
>>>> I am curious why you have a reason to use NTLM over Kerberos? :-)
>>>>
>>>> -----Original Message-----
>>>> From: Rafael Akchurin [mailto:[hidden email]]
>>>> Sent: 09 March 2017 18:01
>>>> To: Mike Surcouf
>>>> Cc: Amos Jeffries; [hidden email]
>>>> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>>>>
>>>> Hello Mike,
>>>>
>>>> I specifically was debugging our NTLM implementation with Edge :)
>>>>
>>>> Kerberos works just fine, you are correct.
>>>>
>>>> Best regards,
>>>> Rafael Akchurin
>>>>
>>>>> Op 9 mrt. 2017 om 18:57 heeft Mike Surcouf <[hidden email]> het volgende geschreven:
>>>>>
>>>>> Hi Rafael
>>>>>
>>>>> Is there any reason you can't use Kerberos.
>>>>> Note you will need to create a keytab but the setup is not that hard and in the docs.
>>>>> I use it very successfully on window AD network.
>>>>>
>>>>> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
>>>>> auth_param negotiate children 20
>>>>> auth_param negotiate keep_alive on
>>>>>
>>>>> Thanks
>>>>>
>>>>> Mike
>>>>>
>>>>> -----Original Message-----
>>>>> From: squid-users [mailto:[hidden email]]
>>>>> On Behalf Of Rafael Akchurin
>>>>> Sent: 09 March 2017 17:01
>>>>> To: Amos Jeffries; [hidden email]
>>>>> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>>>>>
>>>>> Hello Amos, Markus, all,
>>>>>
>>>>> Just as a side note - I also suffered  from this error sometime before with Edge and our custom NTLM relay to domain controllers (run as auth helper by Squid). The strange thing it went away after installing some (unknown) Windows update.
>>>>>
>>>>> I do have the "auth_param ntlm keep_alive off" in the config though.
>>>>>
>>>>> It all makes me quite suspicious the error was/is in Edge or in my curly hands.
>>>>>
>>>>> Best regards,
>>>>> Rafael Akchurin
>>>>> Diladele B.V.
>>>>>
>>>>> -----Original Message-----
>>>>> From: squid-users [mailto:[hidden email]]
>>>>> On Behalf Of Amos Jeffries
>>>>> Sent: Thursday, March 9, 2017 5:12 PM
>>>>> To: [hidden email]
>>>>> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>>>>>
>>>>> On 8/03/2017 11:28 p.m., Rietzler, Markus (RZF, Aufg 324 /
>>>>> <RIETZLER_SOFTWARE>) wrote:
>>>>>> i should add that we are using squid 3.5.24.
>>>>>>
>>>>> Try with "auth_param ntlm keep_alive off". Recently the browsers have been needing that.
>>>>>
>>>>> Though frankly I am surprised if Edge supports NTLM at all. It was deprecated in April 2006 and MS announced removal was being actively pushed in all thier software since Win7.
>>>>>
>>>>>>> -----Ursprüngliche Nachricht-----
>>>>>>> Von: Rietzler, Markus
>>>>>>>
>>>>>>> we have some windows 10 clients using microsoft edge browser.
>>>>>>> access to internet is only allowed for authenticated users. we are
>>>>>>> using samba/winbind auth
>>>>>>>
>>>>>>> auth_param ntlm program /usr/bin/ntlm_auth
>>>>>>> --helper-protocol=squid-2.5- ntlmssp auth_param ntlm children 64
>>>>>>> startup=24 idle=12 auth_param ntlm keep_alive on acl auth_user
>>>>>>> proxy_auth REQUIRED
>>>>>>>
>>>>>>> on windows 10 clients with IE11 it is working (with ntlm automatic
>>>>>>> auth) on the same machine, with Microsoft edge I get TCP_Denied/407 message.
>>>>>>> seems I only get one single TCP_DENIED/407 line in accesslog and an
>>>>>>> auth dialog pops up. I have disabled basic auth via ntlm.
>>>>>>> shouldn't there be 3 lines for proxy auth? with IE11 I see those
>>>>>>> three lines (2x TCP_DENIED/407 and 1x TCP_MISS/200), no popup at all.
>>>>> Not specifically. There should be 1+ for NTLM. Success with NTLM shows
>>>>> 2+. Failure shows 1 or 3 or infinite loop (hello Safari and Firefox 30-ish).
>>>>>
>>>>>
>>>>>>> winbind/samba itself seems to work, as I can do an user auth against
>>>>>>> apache with winbind/samba - even over some squid proxies with
>>>>>>> connection-auth allowed. but not for proxy-auth.
>>>>>>> is there any option in squid.conf which prevents Edge to do a
>>>>>>> successful auth?
>>>>> If other software succeeds then the only thing that might be related is the keep-alive option mentioned above. Otherwise the problem is in Edge itself.
>>>>>
>>>>> Amos
>>>>>
>>>>> _______________________________________________
>>>>> squid-users mailing list
>>>>> [hidden email]
>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>> _______________________________________________
>>>>> squid-users mailing list
>>>>> [hidden email]
>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
>> mac os x and linux can be joined to the domain and use kerberos auth.  it sounds like you have a "dont want to" situation, instead of a "cannot" situation there.
>>
>> when both kerberos and ntlm are advertised as supported by the proxy, the client will negotiate which auth method is used.  when both the client and the proxy support kerberos, that will be used.  if the client is then not able to pull a ticket from the directory to satisfy the kerberos auth to the proxy, the auth fails.  the fall back to ntlm as the auth method will not occur in this situation.
>>
>> ntlm will only be used if one or both of the parties does not support kerberos, and therefore the negotiated auth method chosen is not kerberos.
>>
>> in Edge, disable the IWA (Integrated Windows Authentication) under Advanced settings, and close/relaunch any browser windows. this should get you using only ntlm.  effectively, you are forcing the client to not support kerberos and preventing that auth method from being negotiated for use.
>>
>> hth,
>>
>> brendan
>>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: microsoft edge and proxy auth not working

Rietzler, Markus (RZF, SG 324 / <RIETZLER_SOFTWARE>)
In reply to this post by Amos Jeffries
we have tried with "auth_param ntlm keep_alive off", but both with on/off it does not make a difference.
seems realy to be connected to patch level and installed patches on windows 10.


> -----Ursprüngliche Nachricht-----
> Von: squid-users [mailto:[hidden email]] Im
> Auftrag von Amos Jeffries
> Gesendet: Donnerstag, 9. März 2017 17:12
> An: [hidden email]
> Betreff: Re: [squid-users] microsoft edge and proxy auth not working
>
> On 8/03/2017 11:28 p.m., Rietzler, Markus (RZF, Aufg 324 /
> <RIETZLER_SOFTWARE>) wrote:
> > i should add that we are using squid 3.5.24.
> >
>
> Try with "auth_param ntlm keep_alive off". Recently the browsers have
> been needing that.
>
> Though frankly I am surprised if Edge supports NTLM at all. It was
> deprecated in April 2006 and MS announced removal was being actively
> pushed in all thier software since Win7.
>
> >
> >> -----Ursprüngliche Nachricht-----
> >> Von: Rietzler, Markus
> >>
> >> we have some windows 10 clients using microsoft edge browser.
> >> access to internet is only allowed for authenticated users. we are
> using
> >> samba/winbind auth
> >>
> >> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-
> 2.5-
> >> ntlmssp
> >> auth_param ntlm children 64 startup=24 idle=12
> >> auth_param ntlm keep_alive on
> >> acl auth_user proxy_auth REQUIRED
> >>
> >> on windows 10 clients with IE11 it is working (with ntlm automatic
> auth)
> >> on the same machine, with Microsoft edge I get TCP_Denied/407
> message.
> >> seems I only get one single TCP_DENIED/407 line in accesslog and an
> auth
> >> dialog pops up. I have disabled basic auth via ntlm.
> >> shouldn't there be 3 lines for proxy auth? with IE11 I see those
> three
> >> lines (2x TCP_DENIED/407 and 1x TCP_MISS/200), no popup at all.
>
> Not specifically. There should be 1+ for NTLM. Success with NTLM shows
> 2+. Failure shows 1 or 3 or infinite loop (hello Safari and Firefox 30-
> ish).
>
>
> >>
> >> winbind/samba itself seems to work, as I can do an user auth against
> >> apache with winbind/samba - even over some squid proxies with
> >> connection-auth allowed. but not for proxy-auth.
> >> is there any option in squid.conf which prevents Edge to do a
> successful
> >> auth?
>
> If other software succeeds then the only thing that might be related is
> the keep-alive option mentioned above. Otherwise the problem is in Edge
> itself.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: microsoft edge and proxy auth not working

Rietzler, Markus (RZF, SG 324 / <RIETZLER_SOFTWARE>)
In reply to this post by Mike Surcouf
Kerberos is on the wishlist for very long.
one reason was: the setup is a bit complicated and we do have 150 proxies in our subsidiaries. so we need 150 different Kerberos setups with 150 trusts and tickets and certificates etc. so we work on this to have it someday replaced...

thanxs

> -----Ursprüngliche Nachricht-----
> Von: squid-users [mailto:[hidden email]] Im
> Auftrag von Mike Surcouf
> Gesendet: Donnerstag, 9. März 2017 18:58
> An: 'Rafael Akchurin'; Amos Jeffries; [hidden email]
> Betreff: Re: [squid-users] microsoft edge and proxy auth not working
>
> Hi Rafael
>
> Is there any reason you can't use Kerberos.
> Note you will need to create a keytab but the setup is not that hard and
> in the docs.
> I use it very successfully on window AD network.
>
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
> auth_param negotiate children 20
> auth_param negotiate keep_alive on
>
> Thanks
>
> Mike
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]] On
> Behalf Of Rafael Akchurin
> Sent: 09 March 2017 17:01
> To: Amos Jeffries; [hidden email]
> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>
> Hello Amos, Markus, all,
>
> Just as a side note - I also suffered  from this error sometime before
> with Edge and our custom NTLM relay to domain controllers (run as auth
> helper by Squid). The strange thing it went away after installing some
> (unknown) Windows update.
>
> I do have the "auth_param ntlm keep_alive off" in the config though.
>
> It all makes me quite suspicious the error was/is in Edge or in my curly
> hands.
>
> Best regards,
> Rafael Akchurin
> Diladele B.V.
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]] On
> Behalf Of Amos Jeffries
> Sent: Thursday, March 9, 2017 5:12 PM
> To: [hidden email]
> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>
> On 8/03/2017 11:28 p.m., Rietzler, Markus (RZF, Aufg 324 /
> <RIETZLER_SOFTWARE>) wrote:
> > i should add that we are using squid 3.5.24.
> >
>
> Try with "auth_param ntlm keep_alive off". Recently the browsers have
> been needing that.
>
> Though frankly I am surprised if Edge supports NTLM at all. It was
> deprecated in April 2006 and MS announced removal was being actively
> pushed in all thier software since Win7.
>
> >
> >> -----Ursprüngliche Nachricht-----
> >> Von: Rietzler, Markus
> >>
> >> we have some windows 10 clients using microsoft edge browser.
> >> access to internet is only allowed for authenticated users. we are
> >> using samba/winbind auth
> >>
> >> auth_param ntlm program /usr/bin/ntlm_auth
> >> --helper-protocol=squid-2.5- ntlmssp auth_param ntlm children 64
> >> startup=24 idle=12 auth_param ntlm keep_alive on acl auth_user
> >> proxy_auth REQUIRED
> >>
> >> on windows 10 clients with IE11 it is working (with ntlm automatic
> >> auth) on the same machine, with Microsoft edge I get TCP_Denied/407
> message.
> >> seems I only get one single TCP_DENIED/407 line in accesslog and an
> >> auth dialog pops up. I have disabled basic auth via ntlm.
> >> shouldn't there be 3 lines for proxy auth? with IE11 I see those
> >> three lines (2x TCP_DENIED/407 and 1x TCP_MISS/200), no popup at all.
>
> Not specifically. There should be 1+ for NTLM. Success with NTLM shows
> 2+. Failure shows 1 or 3 or infinite loop (hello Safari and Firefox 30-
> ish).
>
>
> >>
> >> winbind/samba itself seems to work, as I can do an user auth against
> >> apache with winbind/samba - even over some squid proxies with
> >> connection-auth allowed. but not for proxy-auth.
> >> is there any option in squid.conf which prevents Edge to do a
> >> successful auth?
>
> If other software succeeds then the only thing that might be related is
> the keep-alive option mentioned above. Otherwise the problem is in Edge
> itself.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: microsoft edge and proxy auth not working

Mike Surcouf
Are the browsing machines domain joined?
If so and you are just talking about joining the squid proxies to the domains for auth delegation to the dcs this is greatly simplified with realmd now.
Could probably be scripted quite easily.

-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Rietzler, Markus (RZF, Aufg 324 / <RIETZLER_SOFTWARE>)
Sent: 10 March 2017 09:53
To: [hidden email]
Subject: Re: [squid-users] microsoft edge and proxy auth not working

Kerberos is on the wishlist for very long.
one reason was: the setup is a bit complicated and we do have 150 proxies in our subsidiaries. so we need 150 different Kerberos setups with 150 trusts and tickets and certificates etc. so we work on this to have it someday replaced...

thanxs

> -----Ursprüngliche Nachricht-----
> Von: squid-users [mailto:[hidden email]] Im
> Auftrag von Mike Surcouf
> Gesendet: Donnerstag, 9. März 2017 18:58
> An: 'Rafael Akchurin'; Amos Jeffries;
> [hidden email]
> Betreff: Re: [squid-users] microsoft edge and proxy auth not working
>
> Hi Rafael
>
> Is there any reason you can't use Kerberos.
> Note you will need to create a keytab but the setup is not that hard
> and in the docs.
> I use it very successfully on window AD network.
>
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
> auth_param negotiate children 20
> auth_param negotiate keep_alive on
>
> Thanks
>
> Mike
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]]
> On Behalf Of Rafael Akchurin
> Sent: 09 March 2017 17:01
> To: Amos Jeffries; [hidden email]
> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>
> Hello Amos, Markus, all,
>
> Just as a side note - I also suffered  from this error sometime before
> with Edge and our custom NTLM relay to domain controllers (run as auth
> helper by Squid). The strange thing it went away after installing some
> (unknown) Windows update.
>
> I do have the "auth_param ntlm keep_alive off" in the config though.
>
> It all makes me quite suspicious the error was/is in Edge or in my
> curly hands.
>
> Best regards,
> Rafael Akchurin
> Diladele B.V.
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]]
> On Behalf Of Amos Jeffries
> Sent: Thursday, March 9, 2017 5:12 PM
> To: [hidden email]
> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>
> On 8/03/2017 11:28 p.m., Rietzler, Markus (RZF, Aufg 324 /
> <RIETZLER_SOFTWARE>) wrote:
> > i should add that we are using squid 3.5.24.
> >
>
> Try with "auth_param ntlm keep_alive off". Recently the browsers have
> been needing that.
>
> Though frankly I am surprised if Edge supports NTLM at all. It was
> deprecated in April 2006 and MS announced removal was being actively
> pushed in all thier software since Win7.
>
> >
> >> -----Ursprüngliche Nachricht-----
> >> Von: Rietzler, Markus
> >>
> >> we have some windows 10 clients using microsoft edge browser.
> >> access to internet is only allowed for authenticated users. we are
> >> using samba/winbind auth
> >>
> >> auth_param ntlm program /usr/bin/ntlm_auth
> >> --helper-protocol=squid-2.5- ntlmssp auth_param ntlm children 64
> >> startup=24 idle=12 auth_param ntlm keep_alive on acl auth_user
> >> proxy_auth REQUIRED
> >>
> >> on windows 10 clients with IE11 it is working (with ntlm automatic
> >> auth) on the same machine, with Microsoft edge I get TCP_Denied/407
> message.
> >> seems I only get one single TCP_DENIED/407 line in accesslog and an
> >> auth dialog pops up. I have disabled basic auth via ntlm.
> >> shouldn't there be 3 lines for proxy auth? with IE11 I see those
> >> three lines (2x TCP_DENIED/407 and 1x TCP_MISS/200), no popup at all.
>
> Not specifically. There should be 1+ for NTLM. Success with NTLM shows
> 2+. Failure shows 1 or 3 or infinite loop (hello Safari and Firefox
> 2+30-
> ish).
>
>
> >>
> >> winbind/samba itself seems to work, as I can do an user auth
> >> against apache with winbind/samba - even over some squid proxies
> >> with connection-auth allowed. but not for proxy-auth.
> >> is there any option in squid.conf which prevents Edge to do a
> >> successful auth?
>
> If other software succeeds then the only thing that might be related
> is the keep-alive option mentioned above. Otherwise the problem is in
> Edge itself.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: microsoft edge and proxy auth not working

Rafael Akchurin
Hello all,

There is another way (not better but another) that does not require you do join squid machines to domain: Map proxy SPN to a designated user. I describe this at https://docs.diladele.com/administrator_guide_4_9/active_directory/create_user/index.html

Pros - have one user that can be used by farm of squid proxies without the need to join boxes to domain.
Cons - that one user needs to be managed separately from all other users - i.e. you do not want to set the password expiration policy for it - otherwise your exported keytab will be invalid.

My 2 cents.

Rafael Akchurin
Diladele B.V.


-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Mike Surcouf
Sent: Friday, March 10, 2017 10:56 AM
To: 'Rietzler, Markus (RZF, Aufg 324 / <RIETZLER_SOFTWARE>)' <[hidden email]>; [hidden email]
Subject: Re: [squid-users] microsoft edge and proxy auth not working

Are the browsing machines domain joined?
If so and you are just talking about joining the squid proxies to the domains for auth delegation to the dcs this is greatly simplified with realmd now.
Could probably be scripted quite easily.

-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Rietzler, Markus (RZF, Aufg 324 / <RIETZLER_SOFTWARE>)
Sent: 10 March 2017 09:53
To: [hidden email]
Subject: Re: [squid-users] microsoft edge and proxy auth not working

Kerberos is on the wishlist for very long.
one reason was: the setup is a bit complicated and we do have 150 proxies in our subsidiaries. so we need 150 different Kerberos setups with 150 trusts and tickets and certificates etc. so we work on this to have it someday replaced...

thanxs

> -----Ursprüngliche Nachricht-----
> Von: squid-users [mailto:[hidden email]] Im
> Auftrag von Mike Surcouf
> Gesendet: Donnerstag, 9. März 2017 18:58
> An: 'Rafael Akchurin'; Amos Jeffries;
> [hidden email]
> Betreff: Re: [squid-users] microsoft edge and proxy auth not working
>
> Hi Rafael
>
> Is there any reason you can't use Kerberos.
> Note you will need to create a keytab but the setup is not that hard
> and in the docs.
> I use it very successfully on window AD network.
>
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
> auth_param negotiate children 20
> auth_param negotiate keep_alive on
>
> Thanks
>
> Mike
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]]
> On Behalf Of Rafael Akchurin
> Sent: 09 March 2017 17:01
> To: Amos Jeffries; [hidden email]
> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>
> Hello Amos, Markus, all,
>
> Just as a side note - I also suffered  from this error sometime before
> with Edge and our custom NTLM relay to domain controllers (run as auth
> helper by Squid). The strange thing it went away after installing some
> (unknown) Windows update.
>
> I do have the "auth_param ntlm keep_alive off" in the config though.
>
> It all makes me quite suspicious the error was/is in Edge or in my
> curly hands.
>
> Best regards,
> Rafael Akchurin
> Diladele B.V.
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]]
> On Behalf Of Amos Jeffries
> Sent: Thursday, March 9, 2017 5:12 PM
> To: [hidden email]
> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>
> On 8/03/2017 11:28 p.m., Rietzler, Markus (RZF, Aufg 324 /
> <RIETZLER_SOFTWARE>) wrote:
> > i should add that we are using squid 3.5.24.
> >
>
> Try with "auth_param ntlm keep_alive off". Recently the browsers have
> been needing that.
>
> Though frankly I am surprised if Edge supports NTLM at all. It was
> deprecated in April 2006 and MS announced removal was being actively
> pushed in all thier software since Win7.
>
> >
> >> -----Ursprüngliche Nachricht-----
> >> Von: Rietzler, Markus
> >>
> >> we have some windows 10 clients using microsoft edge browser.
> >> access to internet is only allowed for authenticated users. we are
> >> using samba/winbind auth
> >>
> >> auth_param ntlm program /usr/bin/ntlm_auth
> >> --helper-protocol=squid-2.5- ntlmssp auth_param ntlm children 64
> >> startup=24 idle=12 auth_param ntlm keep_alive on acl auth_user
> >> proxy_auth REQUIRED
> >>
> >> on windows 10 clients with IE11 it is working (with ntlm automatic
> >> auth) on the same machine, with Microsoft edge I get TCP_Denied/407
> message.
> >> seems I only get one single TCP_DENIED/407 line in accesslog and an
> >> auth dialog pops up. I have disabled basic auth via ntlm.
> >> shouldn't there be 3 lines for proxy auth? with IE11 I see those
> >> three lines (2x TCP_DENIED/407 and 1x TCP_MISS/200), no popup at all.
>
> Not specifically. There should be 1+ for NTLM. Success with NTLM shows
> 2+. Failure shows 1 or 3 or infinite loop (hello Safari and Firefox
> 2+30-
> ish).
>
>
> >>
> >> winbind/samba itself seems to work, as I can do an user auth
> >> against apache with winbind/samba - even over some squid proxies
> >> with connection-auth allowed. but not for proxy-auth.
> >> is there any option in squid.conf which prevents Edge to do a
> >> successful auth?
>
> If other software succeeds then the only thing that might be related
> is the keep-alive option mentioned above. Otherwise the problem is in
> Edge itself.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users