Re: [squid-users] WWW-Authenticate header

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 14 Jun 2011 18:32:54 +1200

On 14/06/11 15:38, Mike Bordignon (GMI) wrote:
>
> Hello
>
> I'm trying to proxy access to a .Net Web application which requires IWA
> (Integrated Windows Authentication). From what I understand the server

Not another one. Good luck.

  If you have any influence or contact with the devs of that app please
help educate them of the safety issues involved with sending users
internal machine logins out over the global Internet. And HTTPS is no
longer a guarantee of protection.

> replies with a WWW-Authenticate header. Squid doesn't appear to be
> passing through the Authentication headers to the browser.

Indicating that Squid has detected the TCP links involved do not support
that type of auth.

>
> I'm using Squid 3.1.6 on Debian Squeeze. I have read that certain
> versions of Squid don't fully support the HTTP/1.1 features necessary to
> perform NTLM/Negotiate auth. I have tried the pipeline_prefetch off
> option with no luck. The proxy is not operating in transparent mode.
>
> Could anyone point me in the right direction?
>

pipeline_prefetch is one feature which NTLM auth will break. Make sure
that is turned OFF manually.

HTTP/1.0 persistent connections is another. Make sure
client_persistent_connections is turned ON manually in 3.1 series. Make
sure that server_persistent_connections is REMOVED from your config in
3.1 series, and manually turned ON in 3.0 and earlier.

After that its cross fingers and hope. If you find anything strange
still going on, please mention it.

When you encounter a problem the first thing asked will be to verify it
on the latest release. It speeds up the fix a bit if that is where its
found.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.8 and 3.1.12.2
Received on Tue Jun 14 2011 - 06:34:13 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 15 2011 - 12:00:03 MDT