Search squid archive

Enc: [Fwd: Re: Behaviour change in ntlm authentication - please help]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Henrik;
Is there a timeout for the reserved helper? Maybe a timeout can help in
the problem of the stuck reserved helpers.


Rafael Sarres de Almeida
Seção de Gerenciamento de Rede
Superior Tribunal de Justiça
Tel: (61) 319-9342







> Now, the browsers are getting one 407 error, sending an authentication
> package, getting another 407 error, sending a different authenticatino
> package, and then they are successfully authenticated. It seems to me 
that
> Squid is asking for ntlm v2, and was asking for ntlm v1 before. The 
domain
> policy for this is "Send LM & NTLM - Use NTLMv2 session security if
> negotiated".

This is the normal situation. There is always two NTLM packets send by the 

client per TCP connection to complete an NTLM authentication.

NTLM and NTLMv2 behaves the same in this.

> Observing the "NTLM User Authentication Stats" in Cachemgr.cgi, we see 
that,
> in random times of the day, the ntlm helpers begin entering in the "R"
> state, and when all of them are in this state, than squid restarts 
itself,
> sometimes returning to normal operation, and sometimes repeating this
> process.

This indicates you have too few helpers for the client load you are 
having, or that you have malicious clients never completing the NTLM 
authentication but keeping their connection open. Due to the quite poor 
design of NTLM over HTTP authentication you need very many helpers.

A helper is reserved between the two NTLM packets sent by the client. This 

may be for quite extended periods of time (minutes) if the browser has 
to ask the user to provide suitable login credentials to complete the 
request.

Regards
Henrik






[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux