[squid-users] Squid not keeping authenticated NTLM session open

From: infernalis <kevin.p.baldwin_at_gmail.com>
Date: Mon, 14 May 2012 22:28:02 -0700 (PDT)

Hi all,
 
I'm having considerable trouble getting Squid to work well with
NTLM/Kerberos and was hoping someone here would be able to help.
 
My ultimate goal is to be able to connect to an IIS server through Squid
using a computer that is not a member of the AD domain. I would like to
enter my credentials once to the proxy, and then have Squid save the
authentication token in order to use it against other servers that require
authentication.
 
The problem I'm facing is that no matter what I've tried, I'm forced to
authenticate manually six times while loading sites requiring
authentication. This is much worse than the behavior prior to adding Squid.
 
First, is it possible for Squid to cache the credentials and then
authenticate on behalf of the client to an upstream server? If this isn't
the best way to go about doing this, what would you suggest?
 
Second, what could be the problem with my configuration?
 
I'm running Squid 3.1.10.
 
Thanks in advance!
 
 
 
 
Here is my current config:
 
http_port 80 accel defaultsite=webservername connection-auth=on
cache_peer x.x.x.x parent 80 0 no-query login=PASS originserver
connection-auth=on name=serv
 
    auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
    auth_param ntlm children 10
    auth_param ntlm keep_alive on
 
    auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
    auth_param basic children 5
    auth_param basic realm Domain Proxy Server
    auth_param basic credentialsttl 2 hours
    auth_param basic casesensitive off
 
    acl auth proxy_auth REQUIRED
 
    http_access allow auth
    http_access deny all
 
 
acl our_sites dstdomain webservername proxy_auth REQUIRED
client_persistent_connections on
server_persistent_connections on
debug_options ALL,2
 
http_access allow our_sites
cache_peer_access serv allow our_sites
cache_peer_access serv deny all
 
 
 
 
 
 
If it helps, here is part of the cache.log file with debug level 2 applied.
 
When I request the website throught the proxy, there is an initial 5 second
delay that is not present when accessing the site directly. Then I get the
following:
 
[2012/05/14 22:32:00.549309, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xa2088207
2012/05/14 22:32:05.555| AuthNTLMUserRequest::authenticate: need to
challenge client 'Tl...AA'!
2012/05/14 22:32:05.556| The request GET http://webservername/testsite/ is
DENIED, because it matched 'auth'
2012/05/14 22:32:05.556| The reply for GET http://webservername/testsite/ is
ALLOWED, because it matched 'auth'
[2012/05/14 22:32:05.560165, 3] libsmb/ntlmssp.c:747(ntlmssp_server_auth)
  Got user=[me] domain=[DOMAIN] workstation=[WKS_NAME] len1=24 len2=24
[2012/05/14 22:32:05.565952, 3]
libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init)
  NTLMSSP Sign/Seal - Initialising with flags:
[2012/05/14 22:32:05.566021, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xa2088205
2012/05/14 22:32:05.566| The request GET http://webservername/testsite/ is
ALLOWED, because it matched 'auth'
2012/05/14 22:32:05.566| client_side_request.cc(547) clientAccessCheck2: No
adapted_http_access configuration.
2012/05/14 22:32:05.566| The request GET http://webservername/testsite/ is
ALLOWED, because it matched 'auth'
2012/05/14 22:32:05.578| The reply for GET http://webservername/testsite/ is
ALLOWED, because it matched 'our_sites'
 
## After authenticating, I get this, followed by a few more authentications
and a lot more http requests:
 
2012/05/14 22:33:09.880| connReadWasError: FD 12: got flag -1
2012/05/14 22:33:09.880| ConnStateData::swanSong: FD 12
[2012/05/14 22:33:09.884534, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xa2088207
2012/05/14 22:33:14.891| AuthNTLMUserRequest::authenticate: need to
challenge client 'Tl...AA'!
2012/05/14 22:33:14.891| The request GET http://webservername/testsite/ is
DENIED, because it matched 'auth'
2012/05/14 22:33:14.891| The reply for GET http://webservername/testsite/ is
ALLOWED, because it matched 'auth'
[2012/05/14 22:33:14.894114, 3] libsmb/ntlmssp.c:747(ntlmssp_server_auth)
  Got user=[me] domain=[DOMAIN] workstation=[WKS_NAME] len1=24 len2=24
[2012/05/14 22:33:14.899355, 3]
libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init)
  NTLMSSP Sign/Seal - Initialising with flags:
[2012/05/14 22:33:14.899521, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xa2088205
2012/05/14 22:33:14.899| The request GET http://webservername/testsite/ is
ALLOWED, because it matched 'auth'
2012/05/14 22:33:14.899| client_side_request.cc(547) clientAccessCheck2: No
adapted_http_access configuration.
2012/05/14 22:33:14.899| The request GET http://webservername/testsite/ is
ALLOWED, because it matched 'auth'

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-not-keeping-authenticated-NTLM-session-open-tp4633944.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Tue May 15 2012 - 05:28:04 MDT

This archive was generated by hypermail 2.2.0 : Tue May 15 2012 - 12:00:04 MDT