Re: [squid-users] NTLM Passthru to ISA2006

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 18 Jan 2009 13:37:16 +1300

Dean A. Welbourn wrote:
> Hi Amos,
>
> Many thanks for your reply. I have tried changing the config to connection-auth=on but i still get the username/password prompt and even if i enter correct creditials after three attempts the ISA proxy returns an access denied page.
>
> Is there anything else i could be missing?
>
> Many thanks,
>
> Dean
>
> ----- Original Message -----
> From: "Amos Jeffries" <squid3_at_treenet.co.nz>
> To: "Dean A. Welbourn" <welbournd_at_clannet.co.uk>
> Cc: "squid-users" <squid-users_at_squid-cache.org>
> Sent: 14 January 2009 22:49:06 o'clock (GMT) Europe/London
> Subject: Re: [squid-users] NTLM Passthru to ISA2006
>
>> Hi,
>>
>> Sorry forgot to say that bit! Im running Squid 2.7 STABLE 5 on Windows
>> Server 2003 (this is my boss's prefered OS).
>>
>> Thanks,
>>
>> Dean
>>
>> ----- Original Message -----
>> From: "Amos Jeffries" <squid3_at_treenet.co.nz>
>> To: "Dean A. Welbourn" <welbournd_at_clannet.co.uk>
>> Cc: squid-users_at_squid-cache.org
>> Sent: 14 January 2009 20:21:08 o'clock (GMT) Europe/London
>> Subject: Re: [squid-users] NTLM Passthru to ISA2006
>>
>>> Hi,
>>>
>>> Sorry for the delay ive been out of the office for a few days.
>>>
>>> Currently i have the following (i dont have any auth_ settings enabled):
>>>
>>> # Define source all
>>> acl all src all
>>>
>>> # Define Safe Ports
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 443 # https
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>> acl CONNECT method CONNECT
>>>
>>> # Deny requests to unknown ports
>>> http_access deny !Safe_ports
>>>
>>> # Deny CONNECT to other than SSL ports
>>> http_access deny CONNECT !SSL_ports
>>>
>>> # Allow access to ALL
>>> http_access allow all
>>>
>>> # Define port to listen on
>>> http_port 8080
>>>
>>> # Define cache peer
>>> cache_peer holly.selby.college parent 8080 7
>>> proxy-only no-query no-digest login=PASS default
>>>
>>> Many thanks,
>>>
>>> Dean
>>>
>>> ----- Original Message -----
>>> From: "Amos Jeffries" <squid3_at_treenet.co.nz>
>>> To: "Dean A. Welbourn" <welbournd_at_clannet.co.uk>
>>> Cc: "squid-users" <squid-users_at_squid-cache.org>
>>> Sent: 11 January 2009 21:46:03 o'clock (GMT) Europe/London
>>> Subject: Re: [squid-users] NTLM Passthru to ISA2006
>>>
>>>> Hi,
>>>>
>>>> Im trying to implement a Squid proxy with a parent of ISA2006 using
>>>> integrated NTLM passthru. Should this be possible? I either get three
>>>> username/password prompts before i get an authorization required error
>>>> message from the ISA server or just a page can not be displayed error?
>>>>
>>>> Any help would be greatly appreciated, this is for a college project.
>>>>
>>>> Many thanks,
>>>>
>>>> Dean Welbourn
>>>>
>>> What configuration do you have at present? particularly the auth_*,
>>> cache_peer, acl, and http_access lines in the order they appear.
>>>
>>> Amos
>>>
>> Ah right. Squid version?
>> This is only expected to work in Squid-2.6, 2.7, or 3.1.
>>
>
> I have an experiment going with another user at present. The results so
> far lead me to believe that cache_peer with NTLM pass-thru can have either
> login=PASS - to pass login to backend in Basic format.
> or
> connection-auth=on - to pass NTLM messages through.
> but not both at the same time.
> Combining appears to cause multiple-login boxes from the backend which may
> not succeed even with correct credentials.
>
> This is not fully confirmed yet, so take it with a very large portion of
> doubt. But it may be worthwhile trying the other config.
>
> Amos

I've cc'd you in on the OWA thread where this has had a bit more
permutation testing. Albeit under Squid-3.1.0.3.

It appears to be the same issue and a bug in Squids pass-thru handling.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
   Current Beta Squid 3.1.0.3
Received on Sun Jan 18 2009 - 00:37:23 MST

This archive was generated by hypermail 2.2.0 : Sun Jan 18 2009 - 12:00:02 MST