On Wed, 30 Sep 2009 21:05:07 -0500, Walter Cuestas <wcuestas@xxxxxxxxxxxx> wrote: > Hi, in short : > > Every time a user click on a link in a MS Office document or select some > Internet related app (like MS Windows Media Player), the user if forced to > re-authenticate (a popup window appears). > > We have tested using Firefox instead IE7/IE8 and happens the same, but, if > we use OpenOffice.org and Firefox in the same machines, no > re-authentication is required. So, it seems this is a MS related problem > with Squid. (Time and resource usage related stuff has been tested and > are not the source of this problem). Yes. New internet links by new software not already knowing the login tends to do this. Clicking on links within firefox is no different to opening IE and clicking links inside the pages themselves. OpenOffice I dare say makes firefox or IE open the page, yes? which would make the browser work with the proxy as it would for any other web page using credentials it has previously been given for the proxy. MS software tends to link individually to the web engine software built into windows. So each app (Media Player, IE, MSN, Live Messenger, Office, etc) has effectively its own different web browser. With their own settings etc. You might be able to get around some of this by ensuring that the MS software all use the same proxy settings. ( to do that set the IE internet options correctly then run the command line "proxycfg -u" ) but that will not help unless you can enter the user credentials into every piece of browser software on the computer as well. Or use some form of single-sign-on. Personally I dislike this model of embedding, but I applaud MS for at least keeping the private settings separate by default. > > The authentication uses the basic one (not NTLM) and goes to an Active > Directory. > > Any clue about it will help us a lot! Please upgrade to a recent STABLE release as soon as possible. *10 was officially withdrawn for serious usability issues. There are also major security issues as far up as *18. I hope the 2.1 part of your version numbering means those at least have been patched. > > Thanks in advance. > > PD: Some extract from access.log : An extract which does not include the successful requests ( *_MISS and *_HIT) would be easier to read... Cropping it down shows only two there. * One is a outright forbidden (403) * The other is missing authentication credentials (407). * all requests are logged from 127.0.0.1 which prevents any track of whether the auth was retried later. > 127.0.0.1 - smedina [30/Sep/2009:16:40:39 -0500] "GET > http://rad.msn.com/ADSAdClient31.dll? HTTP/1.0" 403 1522 TCP_DENIED:NONE > 127.0.0.1 - - [30/Sep/2009:16:40:46 -0500] "GET > http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl HTTP/1.0" 407 > 2039 TCP_DENIED:NONE There is little more we can say with the given details. The fact that Firefox has no issues indicates it's not a Squid problem. Amos
