RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

From: Clem <clemfree_at_free.fr>
Date: Tue, 3 Apr 2012 17:00:34 +0200

-----Message d'origine-----
De : Clem [mailto:clemfree_at_free.fr]
Envoyé : mardi 3 avril 2012 16:54
À : 'Amos Jeffries'
Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

Hi Amos,

>What do you mean by "squid is handled only LM" ??

>Windows7 by default should be using Kerberos. It can downgrade to NTLMv2 if necessary for compatibility with old systems, but no further unless configured to use weaker security encodings.

The fact is, when I enable "use only NTLM" outlook doesn’t connect, two tcp_miss 200 and nothing, same with "use only NTLMv2", when I enable "use LM and NTLM", that works. So I assumed that only LM via squid is working.
Without squid, all ntlm versions work !

In XP, no changes in the config, same config in outlook for http proxy, and that works, but in XP by default, we have lm and ntlm in security policies.

> Their choice of word "principal" instead of "domain" or "authority" in
that settign makes me think that is a Kerberos principal key, rather than a certificate authority or NTLM domain scope.
  Bad naming on MS part? or something more complex than just NTLM going on?

Microsoft says that the principal name = the common name of the certificate, the "issued to" name.

-----Message d'origine-----
De : Amos Jeffries [mailto:squid3_at_treenet.co.nz] Envoyé : mardi 3 avril 2012 16:05 À : squid-users_at_squid-cache.org Objet : Re: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

On 3/04/2012 11:34 p.m., Clem wrote:
> Hi,
>
> My report with windows7 -> squid -> outlook anywhere with NTLM
>
> I have to modify Windows7 local policies for lanmanager to -> LM and NTLM only, by default windows7 sends NTLMv2 only, and squid is handled only LM, when I chose NTLM only, that doesn't work either.

What do you mean by "squid is handled only LM" ??

Windows7 by default should be using Kerberos. It can downgrade to NTLMv2 if necessary for compatibility with old systems, but no further unless configured to use weaker security encodings.

>
> Plus that, I have to disable the "connect only to server proxy certificate that use this principal (common) name : msstd : externalfqdn" in HTTP PROXY of Outlook (2007/2010).

Their choice of word "principal" instead of "domain" or "authority" in that settign makes me think that is a Kerberos principal key, rather than a certificate authority or NTLM domain scope.
  Bad naming on MS part? or something more complex than just NTLM going on?

>
> With this two settings I can connect to my exchange via squid, but it's not very easy ... My goal is to not modify parameters on my laptop external clients...
>
> When this options aren't modified, the issue is clearly the same, two TPC_MISS 200 messages and nothing, and "server is unavailable". Even in http1.0 or http1.1, I've tested with 2.7 (http11 option), 3.1.19 (http 1.0) and 3.2.0.16 (http1.1)
>
> How can squid can send ntlmv2 sequences ? How squid can fake a "msstd: CN" message ?
>
> Squid can work with XP in native, but with window7 it's not very clearly simple ://
>
> Regards
>
> Clem
>
> -----Message d'origine-----
> De : Clem [mailto:clemfree_at_free.fr]
> Envoyé : lundi 2 avril 2012 16:20
> À : squid-users_at_squid-cache.org
> Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
>
> Does the FRONT_END_HTTPS cache_peer setting make any change to that flags behaviour?
>
> Whether I write this option in cache_peer or not, no change ...
>
> -----Message d'origine-----
> De : Amos Jeffries [mailto:squid3_at_treenet.co.nz] Envoyé : lundi 2 avril 2012 16:00 À : squid-users_at_squid-cache.org Objet : Re: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
>
> On 3/04/2012 1:33 a.m., Clem wrote:
>> Re,
>>
>> I've found the option that generate issue only with windows7, in outlook proxy http settings window, we have this checked automatically : connect only to server proxy certificate that use this principal (common) name :
>> Msstd : externalfqdn
>>
>> When I uncheck this option, my outlook (2007/2010) can connect trough squid with ntlm in my Exchange via outlook anywhere, If it's checked I've got a : server is unavailable.
>> In windows XP, checked or not, that works.
>>
>> By the way, after connection to exchange succeed in w7, that option rechecks itself automatically ...
>>
>> The point is, why ? Maybe windows7 is more paranoid with certificate ??
>>
>> Have you an idea ?
> Strange. Smells like a bug in Windows7 or a domain policy being pushed out.
>
> Does the FRONT_END_HTTPS cache_peer setting make any change to that flags behaviour?
>
> Amos
>
Received on Tue Apr 03 2012 - 15:00:44 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 03 2012 - 12:00:02 MDT