Re: [squid-users] Behaviour change in ntlm authentication - please help

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 24 Jun 2005 22:33:56 +0200 (CEST)

On Tue, 14 Jun 2005, zottmann wrote:

> Now, the browsers are getting one 407 error, sending an authentication
> package, getting another 407 error, sending a different authenticatino
> package, and then they are successfully authenticated. It seems to me that
> Squid is asking for ntlm v2, and was asking for ntlm v1 before. The domain
> policy for this is "Send LM & NTLM - Use NTLMv2 session security if
> negotiated".

This is the normal situation. There is always two NTLM packets send by the
client per TCP connection to complete an NTLM authentication.

NTLM and NTLMv2 behaves the same in this.

> Observing the "NTLM User Authentication Stats" in Cachemgr.cgi, we see that,
> in random times of the day, the ntlm helpers begin entering in the "R"
> state, and when all of them are in this state, than squid restarts itself,
> sometimes returning to normal operation, and sometimes repeating this
> process.

This indicates you have too few helpers for the client load you are
having, or that you have malicious clients never completing the NTLM
authentication but keeping their connection open. Due to the quite poor
design of NTLM over HTTP authentication you need very many helpers.

A helper is reserved between the two NTLM packets sent by the client. This
may be for quite extended periods of time (minutes) if the browser has
to ask the user to provide suitable login credentials to complete the
request.

Regards
Henrik
Received on Fri Jun 24 2005 - 14:34:15 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jul 01 2005 - 12:00:03 MDT