Re: [squid-users] Authenticating to sharepoint NTLM

From: Javier Conti <javier.conti_at_gmail.com>
Date: Thu, 19 Apr 2012 00:21:53 +0200

On 19 April 2012 00:05, Simon Dwyer <mail_at_simmyd.net> wrote:
> Hi Javier,
>
> Well you will be glad to know that i am using IWA with windows 7 and its
> working great it most part.
>
> by IWA i mean using negotiated kerberos authentication which is what i
> think IWA basically is

Hi Simon,

I think we're not talking about the "same IWA".I mean IWA as described
for example here [1] or here [2].

If that's what you're actually doing, would you be so kind to post (or send
me off list) a dump of the request/response headers of the Windows 7
successfully doing IWA (going through Squid, obviously)?

Thanks, Javier

[1] http://en.wikipedia.org/wiki/Integrated_Windows_Authentication
[2] http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true

>
> There are just a few hicckups that happen but that also happens with
> NTLM being this issue.
>
> I also cannot get itunes to use the proxy properly with authentication
> due to 100 popups asking for passwords.
>
> I will be working on this sharepoint issue more tomorrow however.
>
> Cheers,
>
> Simon
>
>
>
> On Wed, 2012-04-18 at 23:18 +0200, Javier Conti wrote:
>> On 18 April 2012 23:07, Simon Dwyer <mail_at_simmyd.net> wrote:
>> > I have seen this problem on a windows 7 and a Fedora 16 machine.  I
>> > think i can rule out the windows machine for once ;)
>> >
>> > I am using FF on the linux machine... is that known to have double ntlm
>> > issues?
>>
>> It is known for Windows 7 (I don't know about Linux clients) to behave
>> differently from Windows XP.
>>
>> As Clem suggested, there are a few settings that should make 7 behave
>> similarly to XP. I tried all of them (according to support at least) but
>> unfortunately, the problem persists.
>>
>> I would be more than happy to know that someone is successfully doing
>> Integrated Windows Authentication through Squid with a Windows 7 client!
>>
>> Regards, Javier
>>
>> >
>> > Simon
>> >
>> > On Wed, 2012-04-18 at 19:36 +0200, Clem wrote:
>> >> Hello,
>> >>
>> >> Try to set "Send LM & NTLM - use NTLMv2 session security if negotiated"
>> >> in local policies (secpol.msc)
>> >>
>> >> Go to: Local Policies > Security Options
>> >>
>> >> Find "Network Security: LAN Manager authentication level"
>> >>
>> >> Change Setting from "Send NTLMv2 response only"
>> >> to
>> >> "Send LM & NTLM - use NTLMv2 session security if negotiated"
>> >>
>> >> Good luck !
>> >>
>> >>
>> >> Clem
>> >>
>> >> Le 18/04/2012 18:51, Javier Conti a écrit :
>> >> > On 18 April 2012 07:33, Simon Dwyer<mail_at_simmyd.net>  wrote:
>> >> >> Hi all,
>> >> >>
>> >> >> I have just implemented squid with kerberos + ntlm + basic
>> >> >> authentication.
>> >> >>
>> >> >> I have just been told accessing a sharepoint website on the internet has
>> >> >> stopped working.
>> >> >>
>> >> >> It seems the site is running NTLM authentcation.
>> >> >>
>> >> >> I have wiresharked the traffic on the proxy and can see the request come
>> >> >> in from the client then out to the web server and the NTLM fields are
>> >> >> left in place.
>> >> >>
>> >> >> The sharepoint server is responding with a 401 unauthroized.
>> >> >>
>> >> >> Where would be the next place to start looking?
>> >> > Are you trying with Windows 7 clients? If yes, have you tried with a Windows
>> >> > XP one?
>> >> >
>> >> > I'm facing the same problem (getting Integrated Windows Authentication to
>> >> > work through Squid) and as long as clients are Windows XP it works fine.
>> >> >
>> >> > If this is the case, I can tell you that we already tried to lower the
>> >> > security settings in Windows 7 to something comparable to those of Windows
>> >> > XP but still see differences in behaviour (and still have the problem)...
>> >> >
>> >> > Regards, Javier
>> >> >
>> >> > PS: excuse me OP if the message went through twice, but Andoird doesn't
>> >> > let me send plain text emails and the first one got bounced :(
>> >> >
>> >> >> I am running 3.1.10.
>> >> >>
>> >> >> Thanks all,
>> >> >>
>> >> >> Simon
>> >> >>
>> >
>> >
>
>
Received on Wed Apr 18 2012 - 22:22:01 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 19 2012 - 12:00:03 MDT