[squid-users] Re: Question about changing authentication in a http session.

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Tue, 4 Feb 2014 21:06:54 -0000

Hi Amos,

   I tried 3.4.3 and it didn't change. I attach a access.log cache.log and
a wireshark capture file. You will see the first Negotiate/NTLM
authentication attempt is declined and the Negotiate/Kerberos attempt is not
processed by the auth helper ( I assume because it is on the same session as
I get successful authenticated when I wait a bit )

   Is there a way in the dispatcher to check the auth method has changed
despite being the same session ? I know it is more difficult for
Negotiate/NTLM to Negotiate/Kerberos as you need to check the token.

Thank you
Markus

"Amos Jeffries" wrote in message
news:611078a64927db3a27e7bee1924693d2_at_treenet.co.nz...

On 2014-02-03 12:06, Markus Moeller wrote:
> Hi,
>
> I am testing authenticating a XP machine with Kerberos, but the
> client tries Negotiate/NTLM first after which squid does not accept
> the change to Negotiate/Kerberos anymore.
>
> If you look at the wireshark log you authentication attempts at
> 20:44:20 for Negotiate/NTLM and at 22:44:30 the client changed to
> Negotiate/Kerberos, but the cache.log file does not get any request
> after the 20:44:20 NTLM request. I can only see the deny entries in
> the access.log.
>
> I use squid 3.4.1 from the repository from 24 Dec 2013.
>
> Is this an expected behavious ?

Depends. Is this renegotiation being done on the same connection as NTLM
was begun? (sorry cant view the packet trace right now).

Do you get the same results with 3.4.3?
  It could be related to the helper decoding or external ACL loops bugs
fixed in 3.4.2 and 3.4.3.

Amos

Received on Tue Feb 04 2014 - 21:07:14 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 05 2014 - 12:00:04 MST