Note the lack of a user-agent string. This is likely an app that cannot authenticate.
My standard for Auth Bypass is source IP, user-agent string and destination URL. Generally the source is preferred to be statically assigned otherwise you need to allow the entire dhcp pool or range. Because there is no user-agent you can drop the requirement or force it with some sort of negated logic (!any)
On Apr 8, 2015 11:21 AM, "Samuel Anderson" <sam@xxxxxxxxxx> wrote:
Hello all,I'm having a problem where HTTP 1.1 connect requests do not authenticate using NTLM. Browsing the internet works fine in all major browsers, I mostly see this occurring in programs that are installed locally on a users computer. Using wireshark I'm able to follow the TCP stream and I can see that the server returns the error (407 Proxy Authentication Required). I am able to work around this problem by explicitly bypassing a domain from requiring authentication, however I really don't want to do that. Any ideas would be appreciated very much.Thanks,Below is the content summery of some of the network packets that I'm working with along with my config fileTCP Stream Content####################CONNECT batch.internetpostage.com:443 HTTP/1.1Proxy-Connection: Keep-AliveHTTP/1.1 407 Proxy Authentication RequiredServer: squid/3.3.8Mime-Version: 1.0Date: Tue, 07 Apr 2015 21:02:24 GMTContent-Type: text/htmlContent-Length: 3208X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0Proxy-Authenticate: NegotiateProxy-Authenticate: NTLMX-Cache: MISS from squid2.****.localX-Cache-Lookup: NONE from squid2.****.local:3128Via: 1.1 squid2.****.local (squid/3.3.8)Connection: close####################CONFIG File#####################Kerberos and NTLM authenticationauth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=****.LOCAL --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAMEauth_param negotiate children 30auth_param negotiate keep_alive offauth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=****auth_param ntlm children 30auth_param ntlm keep_alive off# AD group membership lookupexternal_acl_type ldap_group ttl=60 children-startup=10 children-max=50 children-idle=2 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "DC=****,DC=local" -D "CN=SQUID,OU=**** Service Accounts,DC=****,DC=local" -w "****" -f "(&(objectclass=person) (sAMAccountname=%v)(memberof=CN=%a,OU=PROXY,ou=ALL **** Groups,DC=**** ,DC=local))" -h dc1.****.local,dc2.****.local,dc3.****.local,dc4.****.local# auth requiredacl auth proxy_auth REQUIREDhttp_access deny !auth all####################--Samuel Anderson | Information Technology Administrator | International Document ServicesIDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607
CONFIDENTIALITY NOTICE:This e-mail and any attachments are confidential. If you are not an intended recipient, please contact the sender to report the error and delete all copies of this message from your system. Any unauthorized review, use, disclosure or distribution is prohibited.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
