Hi, > I say "usually normal", because the client software should be aware of > that requirement and send the auth for as many requests as needed in the > session. Sniffing between Squid and clients shows that clients never send auth data within further requests in the session. Clients only send auth data just after receiving an "HTTP/1.1 401 Unauthorized" from the remote web server. Jean-Marc Nogues -----Message d'origine----- De : NOGUES Jean-Marc (EURIWARE) Envoyé : mardi 3 novembre 2009 10:36 À : 'Amos Jeffries' Objet : RE: Pb with Microsoft Integrated Login and Squid 3.1 Hi Amos, All clients have : Windows XP SP2 and IE 6.0.2900.2180_xpsp_sp2_gdr.070227-2254 crypt=128 bits At the bottom of the trace joined we can see an incoming "HTTP/1.1 401 Unauthorized"and then the rest of the upload previously initiated by the client. ( Sorry but, for security reasons I had to to extract a .txt file from the original Winshark trace. - tell if you need more ) regards, Jm Nogues -----Message d'origine----- De : Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Envoyé : mardi 3 novembre 2009 05:54 À : NOGUES Jean-Marc (EURIWARE) Cc : squid-users@xxxxxxxxxxxxxxx Objet : Re: Pb with Microsoft Integrated Login and Squid 3.1 NOGUES Jean-Marc (EURIWARE) wrote: > Hi, > > I have upgraded our squid from 2.5 stable6 to 3.1.0.14 . This because > many remote web servers want Microsoft connection oriented > authentication and I 'have seen that squid 2.5 doesn't forward that > kind of authentication. . > > Now using squid 3.1, my users can connect such web servers but there > is still an issue.. > > From time to time , when uploading a file , users get a blank page and > message "Request not yet fully sent" can be seen in cache.log file. > > Sniffing this (sniffer between proxy and web servers) I can see that, > from time to time, servers are going on sending authentication requests > although the user has been already authenticated (is it a normal > behaviour ?). Yes this is _usually_ normal. HTTP being stateless the auth details need to be sent on every request, or the client will be re-challenged. I say "usually normal", because the client software should be aware of that requirement and send the auth for as many requests as needed in the session. What is NOT normal here is seeing repeated series of missing-auth requests followed by auth request from the same clients. This is a sign of either client software breakage, NAT, or missing keep-alive data in the requests. Persistent connections, aka keep-alive, is REQUIRED on both the client and server connections for NTLM based auth along with connection pinning to force stateless HTTP into stateful behavior between the client and server. > > So sometimes it happens that Squid receives an authentication request as > it is still sending upload data to the server. > This stops the upload and produces the message seen in cache.log Looks like you have hit a bug. Possibly the one people are struggling with at present where a connections auth credentials are dropped mid-session. Can you supply any more detailed trace of whats going on please? Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 Current Beta Squid 3.1.0.14
