Re: [squid-users] Pb with Microsoft Integrated Login and Squid 3.1

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 05 Nov 2009 22:46:00 +1300

NOGUES Jean-Marc (EURIWARE) wrote:
> Hi,
>
> I have managed to make the clients connect directly the web server (so no proxy in the middle ..)
>
> What I am seing in the same session is this :(according that by "auth-missing" you mean an "HTTP 401 Unauthorized" ?)
>
> CLIENT: request (post)
> WEB: 401 auth-missing (Negociate)
> CLIENT: request (post) +auth (Negociate) +keepalive
> WEB: 200 Okay
> CLIENT: request (post) + keepalive
> WEB: 401 auth-missing (Negociate)
> CLIENT: request (post) +auth+ (Negociate) + keepalive
> WEB: 200 Okay
> CLIENT: request (post) + keepalive
> WEB: 401 auth-missing (Negociate)
>
> .. and so on ..

Ouch. Definitely a bug in the browser then.

>
> - The remote site is here a Publigen site , but this pb generally occurs with Sharepoint sites which also require Integrated Authentication .
>
> - So user data has to be sent twice ( not very good for the bandwith ... )
> - Value of Authorisation header is "Negociate" (Kerberos I presume ..)
>
> I will try soon with another browser than IE .
> (actually all browsers are and IE 6.0.2900.2180_xpsp_sp2_gdr.070227-2254 crypt=128 bits
>
> Regards,
>
> Jm Nogues
>

I've heard a lot of grumbles from many different web people about IE6 in
particular who love other releases. You may find this problem fixed in
later releases of IE.

Amos

>
> -----Message d'origine-----
> De : Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Envoyé : jeudi 5 novembre 2009 05:27
> Cc : squid-users_at_squid-cache.org
> Objet : Re: [squid-users] Pb with Microsoft Integrated Login and Squid 3.1
>
> NOGUES Jean-Marc (EURIWARE) wrote:
>> Hi,
>>
>>> I say "usually normal", because the client software should be aware of
>>> that requirement and send the auth for as many requests as needed in the > session.
>> Sniffing between Squid and clients shows that clients never send auth data within further requests in the session.
>
> Strange. Smells like broken client software.
>
> > Clients only send auth data just after receiving an "HTTP/1.1 401
> Unauthorized" from the remote web server.
>
>
> What you should be seeing is series of patterns like this:
>
> CLIENT: request
> WEB: 401 auth-missing
> CLIENT: request+auth+keepalive
> WEB: 200 Okay
> CLIENT: request+auth+keepalive
> WEB: 200 Okay
> CLIENT: request+auth+keepalive
> WEB: 200 Okay
> CLIENT: request+auth+close
> WEB: 200 Okay
>
> ... some time later (after browser closed and restarted for second session).
>
> CLIENT: request
> WEB: 401 auth-missing
> CLIENT: request+auth+keepalive
> WEB: 200 Okay
> CLIENT: request+auth+close
> WEB: 200 Okay
>
>
> Amos
>
>> -----Message d'origine-----
>> De : NOGUES Jean-Marc (EURIWARE)
>> Envoyé : mardi 3 novembre 2009 10:36
>> À : 'Amos Jeffries'
>> Objet : RE: [squid-users] Pb with Microsoft Integrated Login and Squid 3.1
>>
>> Hi Amos,
>>
>> All clients have :
>> Windows XP SP2
>> and IE 6.0.2900.2180_xpsp_sp2_gdr.070227-2254 crypt=128 bits
>>
>> At the bottom of the trace joined we can see an incoming "HTTP/1.1 401 Unauthorized"and then the rest of the upload previously initiated by the client.
>>
>> ( Sorry but, for security reasons I had to to extract a .txt
>> file from the original Winshark trace.
>> - tell if you need more )
>> regards,
>>
>> Jm Nogues
>>
>>
>>
>> -----Message d'origine-----
>> De : Amos Jeffries [mailto:squid3_at_treenet.co.nz]
>> Envoyé : mardi 3 novembre 2009 05:54
>> À : NOGUES Jean-Marc (EURIWARE)
>> Cc : squid-users_at_squid-cache.org
>> Objet : Re: [squid-users] Pb with Microsoft Integrated Login and Squid 3.1
>>
>> NOGUES Jean-Marc (EURIWARE) wrote:
>>> Hi,
>>>
>>> I have upgraded our squid from 2.5 stable6 to 3.1.0.14 . This because
>>> many remote web servers want Microsoft connection oriented
>>> authentication and I 'have seen that squid 2.5 doesn't forward that
>>> kind of authentication. .
>>>
>>> Now using squid 3.1, my users can connect such web servers but there
>>> is still an issue..
>>>
>>> From time to time , when uploading a file , users get a blank page and
>>> message "Request not yet fully sent" can be seen in cache.log file.
>>>
>>> Sniffing this (sniffer between proxy and web servers) I can see that,
>>> from time to time, servers are going on sending authentication requests
>>> although the user has been already authenticated (is it a normal
>>> behaviour ?).
>> Yes this is _usually_ normal. HTTP being stateless the auth details
>> need to be sent on every request, or the client will be re-challenged.
>>
>> I say "usually normal", because the client software should be aware of
>> that requirement and send the auth for as many requests as needed in the
>> session.
>>
>> What is NOT normal here is seeing repeated series of missing-auth
>> requests followed by auth request from the same clients. This is a sign
>> of either client software breakage, NAT, or missing keep-alive data in
>> the requests. Persistent connections, aka keep-alive, is REQUIRED on
>> both the client and server connections for NTLM based auth along with
>> connection pinning to force stateless HTTP into stateful behavior
>> between the client and server.
>>
>>> So sometimes it happens that Squid receives an authentication request as
>>> it is still sending upload data to the server.
>>> This stops the upload and produces the message seen in cache.log
>> Looks like you have hit a bug. Possibly the one people are struggling
>> with at present where a connections auth credentials are dropped
>> mid-session.
>>
>> Can you supply any more detailed trace of whats going on please?
>>
>> Amos
>
>

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
   Current Beta Squid 3.1.0.14
Received on Thu Nov 05 2009 - 09:46:22 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 05 2009 - 12:00:03 MST