On Wed, 15 Jun 2011 08:48:31 +1200, Mike Bordignon (GMI) wrote:
On 14/06/2011 6:32 p.m., Amos Jeffries wrote:
Not another one. Good luck.
If you have any influence or contact with the devs of that app
please help educate them of the safety issues involved with sending
users internal machine logins out over the global Internet. And HTTPS
is no longer a guarantee of protection.
I do have access to the devs, but access won't be over the Internet -
it'll be over a LAN. No problem there.
replies with a WWW-Authenticate header. Squid doesn't appear to be
passing through the Authentication headers to the browser.
Indicating that Squid has detected the TCP links involved do not
support that type of auth.
I've since used Wireshark and it appears I am receiving
WWW-Authenticate headers. Somewhat confused now.
Welcome to the party.
Could be the security levels don't match between the WebApp server and
the workstation. NTLM has a layering system where the server advertises
its preferred security level, and the workstation agrees or does not
respond. There are five levels, some of which indicate willingness to
accept lower security, some restrict only to that level or higher.
This has the best explain I've seen so far. Though it does not mention
where Negotiate/Kerberos fits into the layers.
http://technet.microsoft.com/en-us/magazine/2006.08.securitywatch.aspx
pipeline_prefetch is one feature which NTLM auth will break. Make
sure that is turned OFF manually.
HTTP/1.0 persistent connections is another. Make sure
client_persistent_connections is turned ON manually in 3.1 series.
Make sure that server_persistent_connections is REMOVED from your
config in 3.1 series, and manually turned ON in 3.0 and earlier.
After that its cross fingers and hope. If you find anything strange
still going on, please mention it.
When you encounter a problem the first thing asked will be to verify
it on the latest release. It speeds up the fix a bit if that is where
its found.
Thanks, I will keep that in mind. I've made the other config changes
you suggest but still I get prompted for a password by my browser, I
enter the correct password and again I get the prompt (via Firefox).
IE is working, however?!
Which indicates the credentials are fine as is the proxy part of the
transaction. Firefox appears not have security access to the OS properly
to do the background stuff required. 2/3 of NTLM and related protocols
is done in background actions.
Amos
