On 9/04/2015 3:20 a.m., Samuel Anderson wrote: > Hello all, > > > I'm having a problem where HTTP 1.1 connect requests do not authenticate > using NTLM. Browsing the internet works fine in all major browsers, I > mostly see this occurring in programs that are installed locally on a users > computer. Using wireshark I'm able to follow the TCP stream and I can see > that the server returns the error (407 Proxy Authentication Required). I am > able to work around this problem by explicitly bypassing a domain from > requiring authentication, however I really don't want to do that. Any ideas > would be appreciated very much. > > Thanks, > > > Below is the content summery of some of the network packets that I'm > working with along with my config file > > TCP Stream Content > > #################### > CONNECT batch.internetpostage.com:443 HTTP/1.1 > Host: batch.internetpostage.com > Proxy-Connection: Keep-Alive Note the absence of Proxy-Authorization. This is the very start of the auth sequence... > > HTTP/1.1 407 Proxy Authentication Required > Server: squid/3.3.8 > Mime-Version: 1.0 > Date: Tue, 07 Apr 2015 21:02:24 GMT > Content-Type: text/html > Content-Length: 3208 > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 > Proxy-Authenticate: Negotiate > Proxy-Authenticate: NTLM > X-Cache: MISS from squid2.****.local > X-Cache-Lookup: NONE from squid2.****.local:3128 > Via: 1.1 squid2.****.local (squid/3.3.8) > Connection: close ... Squid responds by indicating auth is required and what types may be used. This is a perfectly normal and working stage-1 of any authentication type. Including the fact the TCP connection is closed. NTLM handshake stage-2 begins on a new TCP connection with the client sending a repeat of the CONNECT request but containing the type-1 credentials token. Squid responds with a type-2 credentials token. Then the client repeats the CONNECT for a third time with at type-3 credentials token, which Squid either accepts or rejects. > #################### > > CONFIG File > > #################### > <snip> > # auth required > > acl auth proxy_auth REQUIRED > http_access deny !auth all The "all" here is probably why your authetication is failing. What it does is prevent Squid emitting the stage-3 NTLM handshake response. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
