[squid-users] NTLM Passthrough - Windows 7 and 2008 clients

From: Momo <momo_at_linutex.net>
Date: Mon, 26 Mar 2012 16:42:09 +0200

Hi,

I'm in the folloqing setup with Squid 2.7STABLE3 :

Client ---> Squid ---> NTLM enabled proxy with transparent auth ---> Internet

I use the following configuration directives to achieve this:

cache_peer 172.17.86.27 parent 8080 0 proxy-only no-query default
no-digest login=PASS
persistent_connection_after_error on
never_direct allow all

My clients are member of an active directory domain, and get
authenticated transparently (no auth pop-up) through my squid server .
It works correctly with windows XP/2000/2003 clients, but i'm facing a
problem that occurs only on 2008/ SEVEN clients:
I get intempestive login pop-ups with these clients on some websites,
especially when browsing the following page :
https://www-304.ibm.com/support/docview.wss?uid=swg27017522

If I look at my NTLM enabled proxy logs, i can see for each error the
following entries :

httpproxy[15164]: [0xb1366f38] auth_adir_auth_crap_callback
(auth_adir.c:883) Authorization denied (NT_STATUS_WRONG_PASSWORD)

After that, and because our password policy locks accounts after 3
auth failures, the user is locked out.

I already tried to force on client side " Send only NTLMv2 responses "
and disable 128Bit encryption enforcement, but no luck.

if anybody has a clue...
Thank you.
Received on Mon Mar 26 2012 - 14:42:32 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 27 2012 - 12:00:03 MDT