Hi, On Tue, 25 Aug 2009, Truth Seeker wrote: > I have squid-3.0.STABLE13-1.el5 on CentOS 5.3 which is authenticating with 2003 AD (kerb + winbind) and have different acls (group based) in place. > > The problem is, java is not working for our users. Previously they all were using ISA, and java was working for them. > > in the following site; > > http://www.dailyfx.com/ 3rd coloumn in the right side shows the "Live currency rates" which is working with java. This is a must in our environment... > > Awaiting your response... We have a similar setup on one VLAN, with squid on linux authenticating users using active directory. We've seen lots of issues with Java not being able to authenticate. Testing the page you're talking about (albeit with a linux desktop), I get a java popup window asking me for my AD username/password/domain, I type it in but repeatedly it fails. The squid access.log says: 1251204847.837 0 172.16.1.3 TCP_DENIED/407 1846 CONNECT balancer.netdania.com:443 - NONE/- text/html 1251204847.842 0 172.16.1.3 TCP_DENIED/407 1846 CONNECT balancer.netdania.com:443 - NONE/- text/html I'm not sure if these lines in cache.log are relevant or not. [2009/08/25 13:42:00, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:42:00, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:42:01, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:42:01, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 [2009/08/25 13:47:02, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 My usual workaround is to add an ACL for that site which is far from ideal. I've added the following ACL: acl dailyfx dstdomain balancer.netdania.com http_access allow dailyfx CONNECT That works around the issue for me. I still get prompted for the username and password and the logs suggest some traffic isn't getting through. 1251205769.600 14385 172.16.1.3 TCP_MISS/000 7263 CONNECT balancer.netdania.com:443 - FIRST_UP_PARENT/172.20.2.3 - 1251205771.233 1 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205771.239 3 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205771.516 277 172.16.1.3 TCP_MISS/200 1443 GET http://balancer.netdania.com/StreamingServer/StreamingServer? gavinmc FIRST_UP_PARENT/172.20.2.3 application/zip 1251205774.813 55 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205774.816 0 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205776.537 1721 172.16.1.3 TCP_MISS/200 1125 GET http://balancer.netdania.com/StreamingServer/StreamingServer? gavinmc FIRST_UP_PARENT/172.20.2.3 application/zip 1251205779.681 1 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html 1251205779.685 1 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html If I drop the word CONNECT I get no errors at all, but that disables authentication entirely for that site. There is definitely some issue with austhentication and Java. I'm not sure if it might actually be Authentication+Java+SSL. Our problems are generally with java-driven online banking applications. Gavin
