Enc: [Fwd: Re: [squid-users] Behaviour change in ntlm authentication - please help]

From: <Rafael.Almeida@dont-contact.us>
Date: Mon, 27 Jun 2005 14:16:03 -0300

Henrik;
Is there a timeout for the reserved helper? Maybe a timeout can help in
the problem of the stuck reserved helpers.

Rafael Sarres de Almeida
Seção de Gerenciamento de Rede
Superior Tribunal de Justiça
Tel: (61) 319-9342

> Now, the browsers are getting one 407 error, sending an authentication
> package, getting another 407 error, sending a different authenticatino
> package, and then they are successfully authenticated. It seems to me
that
> Squid is asking for ntlm v2, and was asking for ntlm v1 before. The
domain
> policy for this is "Send LM & NTLM - Use NTLMv2 session security if
> negotiated".

This is the normal situation. There is always two NTLM packets send by the

client per TCP connection to complete an NTLM authentication.

NTLM and NTLMv2 behaves the same in this.

> Observing the "NTLM User Authentication Stats" in Cachemgr.cgi, we see
that,
> in random times of the day, the ntlm helpers begin entering in the "R"
> state, and when all of them are in this state, than squid restarts
itself,
> sometimes returning to normal operation, and sometimes repeating this
> process.

This indicates you have too few helpers for the client load you are
having, or that you have malicious clients never completing the NTLM
authentication but keeping their connection open. Due to the quite poor
design of NTLM over HTTP authentication you need very many helpers.

A helper is reserved between the two NTLM packets sent by the client. This

may be for quite extended periods of time (minutes) if the browser has
to ask the user to provide suitable login credentials to complete the
request.

Regards
Henrik
Received on Mon Jun 27 2005 - 11:16:09 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jul 01 2005 - 12:00:03 MDT