On 30/09/22 06:28, K R, Bharath wrote:
Hi Team,
We see the below error while configuring Squid for NTLM V2.
FYI: NTLM was formally deprecated by Microsoft on April 2006. It should
not be used except as a last resort for supporting ancient client software.
Please consider implementing its replacement, Negotiate/Kerberos
authentication instead.
1664469456.486 73 10.65.140.107 *TCP_DENIED/407* 4408 GET
http://detectportal.firefox.com/canonical.html
<http://detectportal.firefox.com/canonical.html> - HIER_NONE/- text/html
Please be aware that NTLM authentication has the following properties:
1) each TCP connection needs its own unique handshake.
2) auth handshake is split over multiple HTTP requests. The first
several of which *will* receive a 407 response status.
2) it does not work outside LAN environments
The log provided does not make it clear whether these 407 are the result
of auth rejection, or just the proxy receiving a lot of new TCP
connections suddenly.
FWIW, From behaviour seen elsewhere with non-NTLM auth I suspect the
pattern of detectportal.firefox.com and push.services.mozilla.com
requests are Firefox automation that runs on opening, but does not try
to complete auth handshakes initially.
If you are only seeing these excess of 407 for those domains I would
ignore as normal.
1664469612.625 34 10.65.140.107 TCP_DENIED/407 4326 CONNECT
push.services.mozilla.com:443 - HIER_NONE/- text/html
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=xxxxx.com
auth_param ntlm children 10
auth_param ntlm keep_alive off
auth_param ntlm program /usr/lib/squid/ntlm_auth
xxxx.com/xxxxx.informatica.com
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
FYI, these max_challenge_* parameters have not been supported since
Squid-2.6.
If you are still using that version or older *PLEASE* upgrade. Current
supported versions are the Squid-4 and Squid-5 series.
acl ntlm_users proxy_auth REQUIRED
http_access allow ntlm_users
This will permit anyone to supply bad credentials and still use the proxy.
I suggest replacing the above line with:
http_access deny !ntlm_users
... then followup with any policy rules for allowing users.
#http_access deny all
NOTE: Our wbinfo component is working as expected.
We made use of
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
<https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm> for doc.
Regards,
Bharath
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
