Re: [squid-users] Reverse Proxy, OWA RPCoHTTPS and NTLM authentication passthrough

From: Abdessamad BARAKAT <abdsamad_at_barakat.fr>
Date: Thu, 17 Jul 2008 20:45:37 +0200

Thanks Amos and Joe for your opinion.

I will forget the idea to make this working...

Thanks again for your feedback.

Le 17 juil. 08 à 13:10, Joe Tiedeman a écrit :

> Amos,
>
> I've never been able to get NTLM pass thru to work with squid, I'm
> guessing because of the double hop issue. Kerberos, on the other
> hand, works perfectly once you've set up all the service principle
> names etc and is also much more secure. If you can get Kerberos
> working between the client and the OWA server directly, you can
> slot squid in the middle and the clients won't care.
>
>
> Joe Tiedeman
> Support Analyst
> Higher Education Statistics Agency (HESA)
> 95 Promenade, Cheltenham, Gloucestershire GL50 1HZ
> T 01242 211167 F 01242 211122 W www.hesa.ac.uk
>
>
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: Thursday 17 July 2008 11:18
> To: Abdessamad BARAKAT
> Cc: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Reverse Proxy, OWA RPCoHTTPS and NTLM
> authentication passthrough
>
> Abdessamad BARAKAT wrote:
>>
>> Hi people,
>>
>> Nobody for give me a feedback about this feature ( ntlm auth pass
>> through) ?
>
> You know as much about this as most here. It don't work.
>
> I'm no expert myself but I suspect the reason goes something like
> this:
> (wild guess)
> NTLM is a sub-band authentication in background channels
> directly between the server and client. Now client thinks the
> reverse-proxy IS the server so is happy to authenticate with it.
> Squid is possibly able to pass the login details back to exchange,
> which required NTLM with the client. Client goes, hang on a minute
> I wasn't talking to you, and kills the auth. Squid does not have
> the client-stored secret information to setup a fake NTLM sequence
> to exchange on behalf of the username/pass it knows.
>
> As I said, I'm no expert, but it seems to me that is likely what
> the issue is. If I'm wrong can someone please indicate why such an
> old and popular item as NTLM re-auth has not been implemented in
> _any_ version of Squid yet?
>
> Amos
>
>>
>> Thanks
>>
>>
>> Le 14 juil. 08 à 12:39, Abdessamad BARAKAT a écrit :
>>
>>> Hi,
>>>
>>> I need to reverse proxied a OWA 2007 service and I have some
>>> problems
>>> with NTLM authentication and the RPC connection. Squid offers a SSL
>>> service and connect himself to the OWA with a SSL connection
>>>
>>> The NTLM authentication was made bu the OWA so I need squid to pass
>>> the credentials without modified them.
>>>
>>> Actually I get only 401 error code but when I switch the
>>> authentication to "Basic authentication" on the Outlook anywhere's
>>> settings, It's working. I want really to have the NTLM
>>> authentication
>>> working for don't ask all users to change their settings.
>>>
>>> The squid is chrooted.
>>>
>>> I have tried the following versions:
>>>
>>> - 3.0 STABLE7
>>>
>>> - 2.7STABLE3
>>>
>>> - 2.6STABLE21
>>>
>>> - 2.6STABLE3
>>>
>>> My setup (sometime I need to add acl all or logfile_daemon beetween
>>> versions, that's all) :
>>>
>>> #### CHROOT
>>> chroot /usr/local/squid
>>> mime_table /etc/mime.conf
>>> icon_directory /share/icons
>>> error_directory /share/errors/English unlinkd_program
>>> /libexec/unlinkd cache_dir ufs /var/cache 100 16 256 cache_store_log
>>> /var/logs/store.log access_log /var/logs/access.log squid
>>> pid_filename /var/logs/squid.pid logfile_daemon
>>> /libexec/logfile-daemon ####
>>>
>>> # Define the required extension methods extension_methods
>>> RPC_IN_DATA
>>> RPC_OUT_DATA
>>>
>>> # Publish the RPCoHTTP service via SSL https_port
>>> 192..168.1.122:8443
>>> cert=/etc/apache2/ssl/webmail.corporate.com.p
>>> em defaultsite=webmail.corporate.com
>>> cache_peer 172.16.18.13 parent 443 0 no-query originserver
>>> login=PASS
>>> ssl sslfl ags=DONT_VERIFY_PEER name=exchangeServer
>>>
>>> acl all src 0.0.0.0/0.0.0.0
>>> acl EXCH dstdomain .corporate.com
>>> cache_peer_access exchangeServer allow EXCH cache_peer_access
>>> exchangeServer deny all never_direct allow EXCH # Lock down
>>> access to
>>> just the Exchange Server!
>>> http_access allow EXCH
>>> http_access deny all
>>> miss_access allow EXCH
>>> miss_access deny all
>>>
>>> #no local caching
>>> #maximum_object_size 0 KB
>>> #minimum_object_size 0 KB
>>> #no_cache deny all
>>>
>>> #access_log /usr/local/squid/var/logs/access.log squid
>>>
>>>
>>> Thanks a lot for any tips or informations .
>>>
>>>
>>>
>>>
>>
>
>
> --
> Please use Squid 2.7.STABLE3 or 3.0.STABLE7
>
> ______________________________________________________________
>
> This incoming email was virus scanned for HESA by MessageLabs.
> ______________________________________________________________
>
> _____________________________________________________________________
>
> Higher Education Statistics Agency Ltd (HESA) is a company limited by
> guarantee, registered in England at 95 Promenade Cheltenham GL50 1HZ.
> Registered No. 2766993. The members are Universities UK and GuildHE.
> Registered Charity No. 1039709. Certified to ISO 9001 and BS 7799.
>
> HESA Services Ltd (HSL) is a wholly owned subsidiary of HESA,
> registered in England at the same address. Registered No. 3109219.
> _____________________________________________________________________
>
> This outgoing email was virus scanned for HESA by MessageLabs.
> _____________________________________________________________________
>
> !DSPAM:487f2c978691401783813!
>
Received on Thu Jul 17 2008 - 18:45:53 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 18 2008 - 12:00:04 MDT