Gavin McCullagh wrote:
> Hi,
>
> On Tue, 25 Aug 2009, Truth Seeker wrote:
>
>> I have squid-3.0.STABLE13-1.el5 on CentOS 5.3 which is authenticating with 2003 AD (kerb + winbind) and have different acls (group based) in place.
>>
>> The problem is, java is not working for our users. Previously they all were using ISA, and java was working for them.
>>
>> in the following site;
>>
>> http://www.dailyfx.com/ 3rd coloumn in the right side shows the "Live currency rates" which is working with java. This is a must in our environment...
>>
>> Awaiting your response...
>
> We have a similar setup on one VLAN, with squid on linux authenticating
> users using active directory. We've seen lots of issues with Java not
> being able to authenticate.
>
> Testing the page you're talking about (albeit with a linux desktop), I get
> a java popup window asking me for my AD username/password/domain, I type it
> in but repeatedly it fails.
>
> The squid access.log says:
>
> 1251204847.837 0 172.16.1.3 TCP_DENIED/407 1846 CONNECT balancer.netdania.com:443 - NONE/- text/html
> 1251204847.842 0 172.16.1.3 TCP_DENIED/407 1846 CONNECT balancer.netdania.com:443 - NONE/- text/html
>
> I'm not sure if these lines in cache.log are relevant or not.
>
> [2009/08/25 13:42:00, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
> got NTLMSSP command 3, expected 1
> [2009/08/25 13:42:00, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
> got NTLMSSP command 3, expected 1
> [2009/08/25 13:42:01, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
> got NTLMSSP command 3, expected 1
> [2009/08/25 13:42:01, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
> got NTLMSSP command 3, expected 1
> [2009/08/25 13:47:02, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
> got NTLMSSP command 3, expected 1
>
> My usual workaround is to add an ACL for that site which is far from ideal.
> I've added the following ACL:
>
> acl dailyfx dstdomain balancer.netdania.com
> http_access allow dailyfx CONNECT
>
> That works around the issue for me. I still get prompted for the username
> and password and the logs suggest some traffic isn't getting through.
>
> 1251205769.600 14385 172.16.1.3 TCP_MISS/000 7263 CONNECT balancer.netdania.com:443 - FIRST_UP_PARENT/172.20.2.3 - 1251205771.233 1 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html
> 1251205771.239 3 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html
> 1251205771.516 277 172.16.1.3 TCP_MISS/200 1443 GET http://balancer.netdania.com/StreamingServer/StreamingServer? gavinmc FIRST_UP_PARENT/172.20.2.3 application/zip
> 1251205774.813 55 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html
> 1251205774.816 0 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html
> 1251205776.537 1721 172.16.1.3 TCP_MISS/200 1125 GET http://balancer.netdania.com/StreamingServer/StreamingServer? gavinmc FIRST_UP_PARENT/172.20.2.3 application/zip
> 1251205779.681 1 172.16.1.3 TCP_DENIED/407 1954 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html
> 1251205779.685 1 172.16.1.3 TCP_DENIED/407 1969 GET http://balancer.netdania.com/StreamingServer/StreamingServer? - NONE/- text/html
>
> If I drop the word CONNECT I get no errors at all, but that disables
> authentication entirely for that site.
>
> There is definitely some issue with austhentication and Java. I'm not sure
> if it might actually be Authentication+Java+SSL. Our problems are
> generally with java-driven online banking applications.
>
> Gavin
>
Probably not java+auth+SSL if the normal requests still fail the same way.
java + proxy auth in general is a known issue with certain versions of
Java. Thus the age-old 'browser' ACL for allowing Java seen in tutorials
all over the web.
I've heard rumours of newer versions doing better and fixing various
things. But no idea which versions, if its fully fixed or just
half-fixed for some protocols/requests.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13Received on Tue Aug 25 2009 - 14:41:05 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 25 2009 - 12:00:03 MDT