Hi! Vista does not negotiate NLTMv2.
Start -> gpedit.msc (run as administrator)
Computer configuration -> Policies
Windows Settings ->
Security Settings->
Local Policies ->
Security Options
Find "Network Security: LAN MANAGER Authentication Level"
Set it to "Send LM * NTLM - use NTLMv2 session security if negotiated"
The reason behind this is that squid uses NTLMv2 after a certain version
(2.6 stable 12 if I'm not mistaken) but it is negotiated NTLMv2, rather than
just straight NTLMv2 for some reason. Vista refuses to negotiate by
default, accepting only NTLMv2
Hope this helps.
Carlos Martínez-Troncoso Cera wrote:
>
> Hello Squid gurus.
>
> Our proxy service was working very good until the last week when we
> received reports about some students couldn’t use the wireless LAN. In
> our network, if you are using wired LAN you can use the proxy without
> password, if you use the wireless, Squid prompts for a user/password
> (NTLM). The problem occurs with Windows Vista and Explorer 7. If you
> tried to surf there is no prompt for user password and you received the
> page error
> "Cache Use Denied", in the access.log shows TCP DENIED, if you try in
> the same computer with Firefox, works without problems.
>
> If you use Firefox with Vista or another operative system, or Explorer
> with XP, 2000, etc, everything is alright. The only problem is the mix,
> Windows Vista with Explorer 7.
>
> We were using Squid 2.6.17-1 with NTLM Auth (winbind, Samba 3.025b-1-14)
> in CentOS 5.2. Now we upgraded to Squid 3.0.7-1 (from Fedora´s src rpm)
> but the problem is the same. Before the problem we didn´t change
> anything. I just erased these lines from my squid.conf after the problem
> but the situation is the same:
>
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic -d=5
> auth_param basic children 30
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
>
>
>
> Do you have any report about problems with Vista and Explorer (maybe a
> new patch)?
>
> I didn´t find anything in the forum or Google. What kind of test can I do?
>
> Now I am installing Windows Vista in a notebook for test (we don´t like
> that "operative system" but our students like it) when the endless setup
> finished I will look the packets with a sniffer, another idea?
>
> This is my SQUID.CONF (I erased some acls because the file is very long):
>
> http_port 172.17.3.10:8080
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> cache_mem 64 MB
> cache_dir ufs /cache 6000 16 256
> cache_access_log /var/log/squid/access.log
> cache_log /var/log/squid/cache.log
> cache_store_log none
> half_closed_clients off
> quick_abort_min 0
> quick_abort_max 0
> pipeline_prefetch off
> ftp_user anonymous_at_uninorte.edu.co
>
> #WLAN Auth
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 30
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> # ACCESS CONTROLS
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563 2083 2443 8443 445 3144 4050 4444
> acl Safe_ports port 80 81 21 443 563 70 210 1025-65535
> acl puerto_bloqueado port 1863 #Messenger bloqueado 16Feb2005
> acl CONNECT method CONNECT
>
> #No guarde en cache sitios dinamicos
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
>
> # Deny requests to unknown ports
> http_access deny puerto_bloqueado
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
>
> http_access allow PURGE localhost
> http_access deny PURGE
>
> #Sitios prohibidos
> acl prohibido dstdomain "/etc/squid/sitios-prohibidos"
> http_access allow carlos prohibido
> http_access deny prohibido
>
> #Autenticacion para WLAN
> acl wlan src "/etc/squid/ips-wlan"
> acl password proxy_auth REQUIRED
> http_access allow wlan password
>
> #Bloquear acceso de vlans estudiantes
> acl permitidos src "/etc/squid/permitidos"
> http_access allow permitidos
>
> http_access allow localhost
> http_access deny all
>
> http_reply_access allow all
>
> icp_access deny all
>
> cache_mgr admin_at_uninorte.edu.co
>
> cache_effective_user squid
> cache_effective_group squid
> visible_hostname cipres
> logfile_rotate 365
>
> Thanks in advance. Sorry for my bad English.
>
> --
> Ing. Carlos Martínez-Troncoso Cera
> Administrador de Servicios Internet y Correo Institucional
> Universidad del Norte - www.uninorte.edu.co
> Tel: 57 5 3509367
> Barranquilla, Colombia
>
>
>
-- View this message in context: http://www.nabble.com/Problems-with-Vista-and-Internet-Explorer---NTLM-Auth-tp18716930p19333454.html Sent from the Squid - Users mailing list archive at Nabble.com.Received on Fri Sep 05 2008 - 15:14:46 MDT
This archive was generated by hypermail 2.2.0 : Fri Sep 05 2008 - 12:00:03 MDT