Search squid archive

Re: Reverse Proxy, OWA RPCoHTTPS and NTLM authentication passthrough

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks Amos and Joe for your opinion.

I will forget the idea to make this working...

Thanks again for your feedback.


Le 17 juil. 08 à 13:10, Joe Tiedeman a écrit :

Amos,

I've never been able to get NTLM pass thru to work with squid, I'm guessing because of the double hop issue. Kerberos, on the other hand, works perfectly once you've set up all the service principle names etc and is also much more secure. If you can get Kerberos working between the client and the OWA server directly, you can slot squid in the middle and the clients won't care.


Joe Tiedeman
Support Analyst
Higher Education Statistics Agency (HESA)
95 Promenade, Cheltenham, Gloucestershire GL50 1HZ
T 01242 211167  F 01242 211122  W www.hesa.ac.uk


-----Original Message-----
From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx]
Sent: Thursday 17 July 2008 11:18
To: Abdessamad BARAKAT
Cc: squid-users@xxxxxxxxxxxxxxx
Subject: Re: Reverse Proxy, OWA RPCoHTTPS and NTLM authentication passthrough

Abdessamad BARAKAT wrote:

Hi people,

Nobody for give me a feedback about this feature ( ntlm auth pass
through) ?

You know as much about this as most here. It don't work.

I'm no expert myself but I suspect the reason goes something like this:
(wild guess)
NTLM is a sub-band authentication in background channels directly between the server and client. Now client thinks the reverse-proxy IS the server so is happy to authenticate with it. Squid is possibly able to pass the login details back to exchange, which required NTLM with the client. Client goes, hang on a minute I wasn't talking to you, and kills the auth. Squid does not have the client-stored secret information to setup a fake NTLM sequence to exchange on behalf of the username/pass it knows.

As I said, I'm no expert, but it seems to me that is likely what the issue is. If I'm wrong can someone please indicate why such an old and popular item as NTLM re-auth has not been implemented in _any_ version of Squid yet?

Amos


Thanks


Le 14 juil. 08 à 12:39, Abdessamad BARAKAT a écrit :

Hi,

I need to reverse proxied a OWA 2007 service and I have some problems
with NTLM authentication and the RPC connection.  Squid offers a SSL
service and connect himself to the OWA with a SSL connection

The NTLM authentication was made bu the OWA so I need squid to pass
the credentials without modified them.

Actually I get  only 401 error code but when I switch the
authentication to "Basic authentication" on the Outlook anywhere's
settings, It's working. I want really to have the NTLM authentication
working for don't ask all users to change their settings.

The squid is chrooted.

I have tried the following versions:

- 3.0 STABLE7

- 2.7STABLE3

- 2.6STABLE21

- 2.6STABLE3

My setup (sometime I need to add acl all or logfile_daemon beetween
versions, that's all) :

#### CHROOT
chroot /usr/local/squid
mime_table /etc/mime.conf
icon_directory /share/icons
error_directory /share/errors/English unlinkd_program
/libexec/unlinkd cache_dir ufs /var/cache 100 16 256 cache_store_log
/var/logs/store.log access_log /var/logs/access.log squid
pid_filename /var/logs/squid.pid logfile_daemon
/libexec/logfile-daemon ####

# Define the required extension methods extension_methods RPC_IN_DATA
RPC_OUT_DATA

# Publish the RPCoHTTP service via SSL https_port 192..168.1.122:8443
cert=/etc/apache2/ssl/webmail.corporate.com.p
em defaultsite=webmail.corporate.com
cache_peer 172.16.18.13 parent 443 0 no-query originserver login=PASS
ssl sslfl ags=DONT_VERIFY_PEER name=exchangeServer

acl all src 0.0.0.0/0.0.0.0
acl EXCH dstdomain .corporate.com
cache_peer_access exchangeServer allow EXCH cache_peer_access
exchangeServer deny all never_direct allow EXCH # Lock down access to
just the Exchange Server!
http_access allow EXCH
http_access deny all
miss_access allow EXCH
miss_access deny all

#no local caching
#maximum_object_size 0 KB
#minimum_object_size 0 KB
#no_cache deny all

#access_log /usr/local/squid/var/logs/access.log squid


Thanks a lot for any tips or informations .







--
Please use Squid 2.7.STABLE3 or 3.0.STABLE7

______________________________________________________________

This incoming email was virus scanned for HESA by MessageLabs.
______________________________________________________________

_____________________________________________________________________

Higher Education Statistics Agency Ltd (HESA) is a company limited by
guarantee, registered in England at 95 Promenade Cheltenham GL50 1HZ.
Registered No. 2766993. The members are Universities UK and GuildHE.
Registered Charity No. 1039709. Certified to ISO 9001 and BS 7799.

HESA Services Ltd (HSL) is a wholly owned subsidiary of HESA,
registered in England at the same address. Registered No. 3109219.
_____________________________________________________________________

This outgoing email was virus scanned for HESA by MessageLabs.
_____________________________________________________________________

!DSPAM:487f2c978691401783813!




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux