Re: Re: NTLM auth for RPC over HTTPS to outlook everywhere

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On 26/01/2012 9:22 p.m., Clem wrote:
> Hi Amos,
>
> I've tried, 2.7, 3.1.6, 3.1.18, 3.2.0.14 last release r11492, each time I've
> the same issue, that works in basic mode but not ntlm with this issue :
> fwdNegotiateSSL: Error negotiating SSL connection on FD on cache.log, and
> TCP_MISS/401  RPC_IN_DATA and RPC_OUT_DATA.

Ah. Setup problems on the SSL part of the SSL link between Squid and the 
backend server.

This config is working for a great many people exactly as written:
  http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc

With the mention of SSL I think the SSL libraries used by Squid and the 
Exchange server are not agreeing on SSL versions which are safe to use. 
Or the exchange server may be validating and rejecting the client 
certificate used by Squid cache_peer line.

> * enabling persistent connections to both servers and clients in Squid?
>
> How to enable this on squid ? please

squid.conf:
 server_persistent_connections on
 client_persistent_connections on

> * and HTTP/1.1 features to proxies in the MS client software? ->  I use
> standard settings of rpc proxy in exchange 2007 sp3, I don't know if I can
> set this feature, I'll try to look for.
>
> I am planning to use a sniffer to see exactly what's going on when the auth
> fails.
>
> By the way, thanks for your answer
>
> Have a good day
>
> Clémence
>
> -----Message d'origine-----
> De : Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx]
> Envoyé : jeudi 26 janvier 2012 05:51
> À : squid-users@xxxxxxxxxxxxxxx
> Objet : Re:  Re: NTLM auth for RPC over HTTPS to outlook
> everywhere
>
> On 26/01/2012 4:50 a.m., Clem wrote:
> > Amos,
> >
> > Can you tell me if there'll be soon a revision of 3.2 beta for fixing the
> > problem with ntlm auth via rpc over https (outlook anywhere) ?
> There is another beta package scheduled to go out next weekend (early Feb).
>
> I'm not sure what the "doesn't work" problem you are seeing is exactly
> happening to say whether it is fixed by that package.
>
> Have you tried:
> * the latest 3.1 release? the statusIfComplete message you reported
> might be a sign that the RPC method is hitting bug 3398 which was fixed
> in 3.1.17 and later.
> * or the current 3.2 beta daily bugfix snapshot? more HTTP/1.1
> persistent connection problems are fixed there than in 3.1
> * enabling persistent connections to both servers and clients in Squid?
> * and HTTP/1.1 features to proxies in the MS client software?
>
> If all else fails  have you tried viewing the packets being sent on the
> client-squid and squid-server connections to see what is breaking?
>
> Amos
>
> > Thanks, regards
> >
> > Clémence
> >
> > -----Message d'origine-----
> > De : cl00m [mailto:clemfree@xxxxxxx]
> > Envoyé : mardi 24 janvier 2012 15:55
> > À : squid-users@xxxxxxxxxxxxxxx
> > Objet :  Re: NTLM auth for RPC over HTTPS to outlook
> everywhere
> > Please, help ...
> >
> > I'll have to find another solution if squid doesn't work with NTLM auth
> for
> > rpc over https to outlook anywhere...
> >
> >
> > --
> > View this message in context:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/NTLM-auth-for-RPC-over-HT
> > TPS-to-outlook-everywhere-tp4315913p4323954.html
> > Sent from the Squid - Users mailing list archive at Nabble.com.