Re: NTLM, non-domain machines and keep-alive

[Harry Mills <harry@xxxxxxxxxxxxx>]

Hi Anders,

Thanks for the suggestion. If only all software was written to support 
standards properly! I have implemented quite a few noauth acls for those 
broken applications (often Anti-Virus updaters, and iDevice Apps) and 
they are working well. Interestingly, for some requests (often destined 
for apple.com, or icloud) we see tens of requests a second being 
answered with a 407 by squid. The client app just keesp hammering away 
irrespective of the returned error.... Anyway - I digress!

The problem we have is we are at a school where we need to authenticate 
web access for logging, and for applying appropriate policies to groups 
of users. For domain member machines this works very well - but for non 
domain machines we can't seem to limit the authentication requests (pop 
up auth box) to just a single prompt, and keep getting 3 in a row before 
the authentication succeeds. I would love to know if anyone else has 
come across this before (we see it on Windows XP, Windows 7, IE7, IE8, 
IE9 and Chrome).

Regards

Harry

On 09/05/2012 11:06, Anders.Larsson@xxxxxxxxx wrote:
> Hi!
>
> I did a acl noauth for dst domains and noauth for src with hosts/urls that wont work with auth :/
>
> acl noauth dstdom_regex -i "/etc/squid/noauth_dstdom/noauth"
>
> acl client srcdom_regex -i "/etc/squid/noauth/client"
>
>
> this line before the "acl domainusers proxy_auth REQUIRED"
> http_access allow noauth client
>
>
> // Anders
>
>   * Systemadmin Unix/Linux/Vmware
>   * Tieto
>   * Kyrkgatan 60
>   * 831 34 ÖSTERSUND
>   * Växel:        +46 (0)10 481 98 00
>   * Fax:          +46 (0)10 481 98 10
>   * Tel:          +46 (0)10 481 02 20
>   * Mobil:        +46 (0)70 656 42 64
>   * Mail:         anders.larsson@xxxxxxxxx
>   **********************************************
>
>    ---- Debian is they way to salvation ----
>
>    ---  How Hard Can It Be ---
>
> -----Original Message-----
> From: Harry Mills [mailto:harry@xxxxxxxxxxxxx]
> Sent: den 9 maj 2012 11:06
> To: squid-users@xxxxxxxxxxxxxxx
> Subject: Re:  NTLM, non-domain machines and keep-alive
>
> Hi,
>
> I am still unsure why IE and Chrome would pop up an authentication box 3
> times (rather than just once) when they are not a member of the domain.
> I would certainly expect a box to pop up - but why three times?!
>
> When I was testing with just NTLM as the authentication mechanism I set:
>
> auth_param ntlm keep-alive off
>
> This solved the 3-popup problem and IE just pops up one authentication box.
>
> We are now using the negotiate_wrapper around Kerberos and NTLM, which
> is working very well - except we still have the multi-authentication
> boxes popping up for non-domain windows machines.
>
> Can I set the same parameter for negotiate:
>
> auth_param negotiate keep-alive off
>
> or will have undesirable effects on Negotiate mechanism?
>
> If this is not a solution, is there another area I should be looking at
> as to why we are getting 3 popup boxes in a row when non-domain machines
> try to authenticate with Squid?
>
> Regards
>
> Harry
>
>
> On 20/04/2012 19:29, Harry Mills wrote:
> > Hi,
> >
> > Firstly, thank you Amos for helping out here. I am finding it rather
> > frustrating because I have enough knowledge on this subject get myself
> > into trouble, but not enough to get myself back out of it!
> >
> > On 20/04/2012 14:58, Amos Jeffries wrote:
> > > On 20/04/2012 12:03 a.m., Harry Mills wrote:
> > > > Hi,
> > > >
> > > > I have upgraded our squid to version 3.1.19 but I am still seeing the
> > > > repeated popup box issue with non-domain member machines (windows
> > > > machines).
> > >
> > > Well, yes. Lookup the requriements for NTLM with actual security
> > > enabled. #1 on the list is "join the client machine to domain" or some
> > > wording to that effect.
> >
> > This can be very frustrating! The problems I am facing are really caused
> > by the fact that Windows clients, when presented with "negotiate" as an
> > authentication option will choose NTLM when they are not members of the
> > domain. This would be fine if they simply popped up a box *once* for the
> > credentials, but having to type DOMAIN\username and a password three
> > times before you are allowed access is difficult to explain to end users!
> >
> > > NTLM and its relative are domain-based authentication protocols, with a
> > > centralized controller system. You are trying to make machines outside
> > > the domain with no access to the DC secrets able to generate tokens
> > > based on those secrets.
> > >
> > > It used to "work" for NTLMv1 because it has a failure recovery action
> > > which drops back to LM protocol which is frighteningly like Basic auth
> > > protocol without any domain secrets to validate the machine is allowed
> > > to be logged in with. None of the modern software permits that LM mode
> > > to be used anymore without some manual security disabling.
> >
> > I realise something has changed because our previous ( 4 years older )
> > squid with NTLM worked in exactly the way I would have expected. NTLM
> > working for all domain machines, and a *single* popup authentication box
> > for those clients which were not domain members - to be honest, I always
> > assumed that the single authentication box was the browser falling back
> > to Basic auth because it couldn't use NTLM.
> >
> > > > Domain member machines authenticate perfectly via NTLM, but non-domain
> > > > member machines (Windows XP, Windows 7) pop up a password box three
> > > > times before accepting the credentials.
> > > >
> > > > I have removed all the authentication directives _except_ the NTLM one
> > > > to simplify the troubleshooting.
> > > >
> > > > If I asked Internet Explorer to save the credentials then the
> > > > authentication works fine and I get no further popup boxes. Chrome is
> > > > the same - as is Firefox, although interestingly Firefox will only
> > > > authenticate if the credentials have been stored. If they have not
> > > > been stored (using IE remember password) it plain refuses to
> > > > authenticate at all (no popup boxes or anything).
> > >
> > > Wow strange behaviour from Firefox, do they have a bug report about this?
> >
> > I have not come across one, but will check and present one if not.
> >
> > > The others are correct for a non-domain machine. When connected to a
> > > domain the machine can validate that the requested NTLM domain/realm is
> > > the same as the machien login one and use that for single-sign-on.
> > > Without an existing domain login or pre-stored domain credentials to use
> > > it is only to be expected the browser asks for popup to be filled out by
> > > the user.
> >
> > I realise the popup is necessary as there are no domain credentials to
> > use, my confusion was that it pops up three times, my (probably
> > confused) logic is that it should only need to ask once!
> >
> > > > I am more than happy to work through this myself, but have exhausted
> > > > all my ideas. Could some one point me in the right direction?
> > >
> > > While keep-alive / persistent connections *is* mandatory for NTLM to
> > > work. The "auth_param ntlm keep-alive off" setting is a kind of special
> > > adaptation to keep-alive, which sends the challenge signalling NTLM then
> > > drops the connection. Forcing the client to open a new connection and
> > > start it with the auth handshake requests. Once the handshake is started
> > > the normal persistence settings take over.
> > >
> > > It is a bit nasty and somewhat confusing. But thats the best we can do
> > > with certain software.
> >
> > Thank you for that explanation - it is confusing! All I really want to
> > achieve is single-signon for the domain members, and a *single* password
> > popup for non-domain members.
> >
> > Thank you again for your help.
> >
> > Regards
> >
> > Harry
> >
> >
> > > Amos