Squid-2.5 doesn't support the stuff required to properly proxy NTLM authentication. Here's the problem. NTLM is a three-stage process - the first stage is the "fail, auth required, please speak-y NTLM if you can." The client spits back some initial details. The second stage is the "fail, auth required, here's your challenge." The third stage is the successful bit but only stays successful for that particular server connection. Squid before squid-2.6 didn't "glue" server connections to client connections if NTLM authentication occured. This meant that the client may get a different server connection for each leg of the request (as the server has to support persistent connections to even participate in NTLM) and thus never quite managing to hold open an NTLM authenticated session. Squid-2.6 fixes this. Please try upgrading to the latest Squid-2.6 and let us know whether this fixes the problem or not. Adrian On Wed, Sep 13, 2006, Michael Davidson wrote: > Hi, > Has anyone had problems with Windows app's, using dotnet 2.0, > authenticating against a Squid proxy.? > > We have a situation where a C# application, using .NET 1.1, which > relays SMS's via the Internet, has been working successfully for many > moons. Upon re-compling this app and running it with .Net 2.0 we find > that the NTLMSSP authentication fails against our SQUID proxy server. > > Ethereal traces shows the usual initial situation where the app > establishes a TCP session with the proxy and then sends a HTTP POST, the > proxy responds with authentication required using NTLM and that TCP > session is closed. The application initiates another session and in the > HTTP POST, now includes the NTLM type 1 message. The proxy responds with > the "challenge" however the app does not respond to this and stops with > a 407 error. > > I'm more that ready to believe that this isn't a SQUID problem and > indeed have logged a ticket with Microsoft. I was really hoping that > someone on the list has a ready answer/suggestion for me. > > I have tested against a proxy made up of: > > System: 2.6.15-1.2054_FC5smp #1 SMP Tue Mar 14 16:05:46 EST 2006 i686 > i686 i386 GNU/Linux > > Squid Cache: Version 2.5.STABLE12 > configure options: --prefix=/etc/squid --bindir=/usr/bin > --sbindir=/usr/sbin --libexecdir=/usr/sbin --datadir=/usr/lib/squid > --sysconfdir=/etc/squid --localstatedir=/var/squid --libdir=/etc/squid > --m andir=/usr/share/man --enable-cache-digests > --enable-default-err-language=English --enable-err-languages=English > --enable-auth=ntlm --enable-ntlm-auth-helpers=SMB > --with-samba-sources=/root/samba-3.0.23b > > squid.conf snippet: > < > auth_param ntlm use_ntlm_negotiate on > auth_param ntlm program /usr/bin/ntlm_auth -d 9 -l /root/ntlm.log > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 5 > > > SAMBA/WinBind: samba-3.0.23b-1. > > The authentication backend is a Windows AD. > > Regards Mike D. > > -- > >
