Re: [squid-users] Squid squid3-3.0.STABLE10-2.11, IE7/IE8, Microsoft Applications

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 01 Oct 2009 15:04:20 +1200

On Wed, 30 Sep 2009 21:05:07 -0500, Walter Cuestas <wcuestas_at_open-sec.com>
wrote:
> Hi, in short :
>
> Every time a user click on a link in a MS Office document or select some
> Internet related app (like MS Windows Media Player), the user if forced
to
> re-authenticate (a popup window appears).
>
> We have tested using Firefox instead IE7/IE8 and happens the same, but,
if
> we use OpenOffice.org and Firefox in the same machines, no
> re-authentication is required. So, it seems this is a MS related problem
> with Squid. (Time and resource usage related stuff has been tested and
> are not the source of this problem).

Yes. New internet links by new software not already knowing the login tends
to do this.

Clicking on links within firefox is no different to opening IE and clicking
links inside the pages themselves.
OpenOffice I dare say makes firefox or IE open the page, yes? which would
make the browser work with the proxy as it would for any other web page
using credentials it has previously been given for the proxy.

MS software tends to link individually to the web engine software built
into windows. So each app (Media Player, IE, MSN, Live Messenger, Office,
etc) has effectively its own different web browser. With their own settings
etc.

You might be able to get around some of this by ensuring that the MS
software all use the same proxy settings.
( to do that set the IE internet options correctly then run the command
line "proxycfg -u" ) but that will not help unless you can enter the user
credentials into every piece of browser software on the computer as well.
Or use some form of single-sign-on.

Personally I dislike this model of embedding, but I applaud MS for at least
keeping the private settings separate by default.

>
> The authentication uses the basic one (not NTLM) and goes to an Active
> Directory.
>
> Any clue about it will help us a lot!

Please upgrade to a recent STABLE release as soon as possible. *10 was
officially withdrawn for serious usability issues. There are also major
security issues as far up as *18. I hope the 2.1 part of your version
numbering means those at least have been patched.

>
> Thanks in advance.
>
> PD: Some extract from access.log :

An extract which does not include the successful requests ( *_MISS and
*_HIT) would be easier to read...

Cropping it down shows only two there.
* One is a outright forbidden (403)
* The other is missing authentication credentials (407).
* all requests are logged from 127.0.0.1 which prevents any track of
whether the auth was retried later.

> 127.0.0.1 - smedina [30/Sep/2009:16:40:39 -0500] "GET
> http://rad.msn.com/ADSAdClient31.dll? HTTP/1.0" 403 1522 TCP_DENIED:NONE

> 127.0.0.1 - - [30/Sep/2009:16:40:46 -0500] "GET
> http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl HTTP/1.0" 407
> 2039 TCP_DENIED:NONE

There is little more we can say with the given details. The fact that
Firefox has no issues indicates it's not a Squid problem.

Amos
Received on Thu Oct 01 2009 - 03:04:29 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 01 2009 - 12:00:05 MDT