Hello @all, I have a problem concerning the combination of ntlm_auth & Windows Update. My scenario: Squid 2.5.9-10sarge2 on Debian Sarge authenticates the users against MS Active Directory with ntlm_auth with this squid.conf: ########### squid.conf ################### client_netmask 255.255.255.0 dns_nameservers XXX.YYY.172.3 auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic credentialsttl 5 hours acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 # https, snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl QUERY urlpath_regex cgi-bin \? acl purge method PURGE acl CONNECT method CONNECT acl NTLMUsers proxy_auth REQUIRED acl winupdate dstdomain .microsoft.com .windowsupdate.com acl ftp proto FTP no_cache deny winupdate http_access allow all NTLMUsers http_access allow winupdate always_direct allow ftp always_direct allow winupdate no_cache deny QUERY http_access deny all http_reply_access allow all icp_access deny all cache_mgr root dns_testnames heise.de google.de denic.de internic.net ###################################### I set up the ntlm_auth with this HowTo: http://mkeadle.org/index.php?p=13 Everything is working fine since today but now I have a problem using Windows Update Webpage. Without ntlm_auth I can access the page and retrieve the updates. When I enable ntlm_auth as shown in the squid.conf the Windows Update page hangs while searching for updates :-( In my opinion this is because of the ntlm_auth function: ######## acces.log ######### XXX.YYY.172.0 TCP_DENIED/407 1861 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html XXX.YYY.172.0 TCP_DENIED/407 1865 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html XXX.YYY.172.0 TCP_MISS/302 625 GET http://www.microsoft.com/isapi/redir.dll? administrator DIRECT/207.46.20.30 text/html XXX.YYY.172.0 TCP_MISS/304 414 GET http://windowsupdate.microsoft.com/ administrator DIRECT/207.46.225.221 - ########################### As you can see the proxy first says: Authentification required. Then the client responds and sends an NTLM_AUTH challenge and the proxy permits access. This works fine for every webpage but not for Windows Update :-( Should I post the whole concerning stuff in access.log (~ 60 lines)? Is there another way to transparently authentificate users against MS Active Directory? Perhaps this is the wrong place to ask and I should contact the ntlm_auth developers - what do you think? Greets from Germany, Daniel Halbe
