proxy ntlm-auth problems

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

proxy ntlm-auth problems

Silvester Langen

Hello squid users.

 
I have configured squid for ntlm authentication and it seems to work well. All needed browsers (ff, ie, chrome) work and programs like teamviewer or "heise register" do work too. But now I notice, that other programs like Sage HR, Dakota, Sfirm and Elster have problems with authentication.
 
With wireshark I see the following:
 
(Stage1) Browsers, Teamviewer, etc starting request to squid and squid returns "407 Proxy Authentication Required". 
(Stage2) After that the client begins a new request for negotiation and sends the credentials. The connection works.
 
But...
 
(Stage1) Sage HR, Sfirm, etc. starts request to squid and squid returns "407 Proxy Authentication Required". 
After that the client begins a new request but the same without credentials and negotiation. Of course, the proxy refuses the connection again.
 
I have no idea why the client software doesn´t start stage2 and no idea to find out why.
 
Here is my configuration for ntlm-auth:
 
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=mydomain --kerberos /usr/lib/squid3/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off
acl auth proxy_auth REQUIRED
http_access allow auth
 
Thank you for helping me!#

Silvester

Silvester Langen
Fachinformatiker - Systemintegration
Auf dem Leuchtenberg 78


41517 Grevenbroich

Mobil: 0170 69 66 580
Tel: 02181 21 555 01
Web: silvesterlangen.de

Zertifizierter MCSA, MCSE, LPIC-1


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: proxy ntlm-auth problems

L.P.H. van Belle
i suggest you try:
 
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s s GSS_C_NO_NAME \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=MYDOMAIN
Greetz,
 
Louis
 


Van: squid-users [mailto:[hidden email]] Namens Silvester Langen
Verzonden: donderdag 17 januari 2019 10:52
Aan: [hidden email]
Onderwerp: [squid-users] proxy ntlm-auth problems

Hello squid users.

 
I have configured squid for ntlm authentication and it seems to work well. All needed browsers (ff, ie, chrome) work and programs like teamviewer or "heise register" do work too. But now I notice, that other programs like Sage HR, Dakota, Sfirm and Elster have problems with authentication.
 
With wireshark I see the following:
 
(Stage1) Browsers, Teamviewer, etc starting request to squid and squid returns "407 Proxy Authentication Required". 
(Stage2) After that the client begins a new request for negotiation and sends the credentials. The connection works.
 
But...
 
(Stage1) Sage HR, Sfirm, etc. starts request to squid and squid returns "407 Proxy Authentication Required". 
After that the client begins a new request but the same without credentials and negotiation. Of course, the proxy refuses the connection again.
 
I have no idea why the client software doesn´t start stage2 and no idea to find out why.
 
Here is my configuration for ntlm-auth:
 
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=mydomain --kerberos /usr/lib/squid3/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off
acl auth proxy_auth REQUIRED
http_access allow auth
 
Thank you for helping me!#

Silvester

Silvester Langen
Fachinformatiker - Systemintegration
Auf dem Leuchtenberg 78


41517 Grevenbroich

Mobil: 0170 69 66 580
Tel: 02181 21 555 01
Web: silvesterlangen.de

Zertifizierter MCSA, MCSE, LPIC-1


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users