Re: Join to discuss NTLM Authentication

From: Gary Price \(ICT\) <gprice@dont-contact.us>
Date: Mon, 3 Mar 2003 10:27:22 +1000

Gary Price wrote:
> as described in the squid-users list, I have made a change that appears
> to make NTLM auth work. To my surprise in fact. I would like to figure
> out why this actually works. I was planning to go further and establish a
> guaranteed 1-1 connection between client and server connections, but it
> appears not to be necessary.

Kinkie wrote:
Could you please add more detail?
------------------------------------------------------
More detail follows.

I use transparent proxying and squid 2.3.STABLE5.

With no changes to squid, if I try to use NTLM auth in a real situation I get many auth popups when using a web server with NTLM
auth enabled. However, if I set up a very simple situation in which there is one web server and one client and just one web page
with no images, the authentication works fairly well. If I try to go to a web page with many images I get repeated auth popups.

I decided to set up a 1-1 correspondence between client connections and server connections and see if that helped.
As a start I made a new implementation of pconnPush and pconnPop that used the client IP and port as well as the origin server IP
and port. Then I organised that this would be used instead of the original version.

The idea was that when squid checks the list of persistent server connections for an existing connection to an origin server, if
there is still one available from a previous client connection on the same port, it will use it, otherwise it will make a new one. I
did not expect that this would make the auth work, but I thought it would improve it. I expected that if I left the system idle
until all the pconn connections were deleted, I would get a new auth popup on the next access.

This does not happen. It appears to me, with (I admit) limited testing, that once there is an authorised connection established,
additional connections can be established as well, and also that leaving the connections idle does not hurt - when a new connection
is made, it is authenticated.

Some of my colleagues have tested this using OWA and NTLM auth, and have reported no problems.

So my questions are
- is this really doing what it appears to be doing?
- why does this appear to give no problems?
- how can I stress it, so it displays whatever weaknesses it might have?
- for the change I have made, are there any other parts of squid that need to be altered?
- does my change have significant performance implications?

Some cache.log outputs are shown below.
The source code changes are simple, I will send them if you want.

Thanks
Gary Price
Intelligent Compression Technologies

Here is the first GET:
GET / HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel,
application/msword, */*
Accept-Language: en-au
Accept-Encoding: gzip, deflate
If-Modified-Since: Wed, 30 Oct 2002 06:33:50 GMT; length=1420
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Via: 1.1 accelecache:8080 (Squid/2.3.STABLE5)
X-Forwarded-For: 192.168.99.3
Host: 192.168.77.2
Cache-Control: max-age=259200
Connection: keep-alive

Here is the response:

HTTP/1.1 401 Access Denied
Server: Microsoft-IIS/5.0
Date: Mon, 03 Mar 2003 00:04:39 GMT
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Content-Length: 3643
Content-Type: text/html

here is the next GET:

2003/03/03 10:06:30| parseHttpRequest: Method is 'GET'
2003/03/03 10:06:30| parseHttpRequest: URI is '/'
2003/03/03 10:06:30| parseHttpRequest: req_hdr = {Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*
Accept-Language: en-au
Accept-Encoding: gzip, deflate
If-Modified-Since: Wed, 30 Oct 2002 06:33:50 GMT; length=1420
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 192.168.77.2
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIoAAAAAAAAAAAAAAAAAAAAAA=

}

Then I get back

2003/03/03 10:06:30| GOT HTTP REPLY HDR:
---------
HTTP/1.1 401 Access Denied
Server: Microsoft-IIS/5.0
Date: Mon, 03 Mar 2003 00:05:03 GMT
WWW-Authenticate: Negotiate
TlRMTVNTUAACAAAAFgAWADAAAAAFgoqgkPzcuECfd20AAAAAAAAAAGwAbABGAAAAUABSAE8AWABZAFMARQBSAFYARQBSAAIAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIAAQAW
AFAAUgBPAFgAWQBTAEUAUgBWAEUAUgAEABYAcAByAG8AeAB5AHMAZQByAHYAZQByAAMAFgBwAHIAbwB4AHkAcwBlAHIAdgBlAHIAAAAAAA==
Connection: keep-alive
Content-Length: 3245
Content-Type: text/html

and I send

2003/03/03 10:06:30| parseHttpRequest: Method is 'GET'
2003/03/03 10:06:30| parseHttpRequest: URI is '/'
2003/03/03 10:06:30| parseHttpRequest: req_hdr = {Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*
Accept-Language: en-au
Accept-Encoding: gzip, deflate
If-Modified-Since: Wed, 30 Oct 2002 06:33:50 GMT; length=1420
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 192.168.77.2
Connection: Keep-Alive
Authorization: Negotiate
TlRMTVNTUAADAAAAGAAYAHYAAAAYABgAjgAAABgAGABAAAAADAAMAFgAAAASABIAZAAAAAAAAACmAAAABYKIoDEAOQAyAC4AMQA2ADgALgA3ADcALgAyAGcAcAByAGkAYwBl
AEkAQwBUAE8AWgBMAEEAUAAxAMd7qyAwgZGUAAAAAAAAAAAAAAAAAAAAALmlrHL5+x8h+Bce937OBx10lFUuqubEsg==

}

and I get back

HTTP/1.1 304 Not Modified
Server: Microsoft-IIS/5.0
Date: Mon, 03 Mar 2003 00:05:03 GMT
Connection: keep-alive
Content-Location: http://192.168.77.2/Default.htm
ETag: "80954fde7fc21:ec2"
Content-Length: 0

and the page is displayed.

Gary Price
Intelligent Compression Technologies
----- Original Message -----
From: "Kinkie" <kinkie-dev@kinkie.it>
To: "Gary Price (ICT)" <gprice@bigpond.net.au>
Cc: <squid-dev@squid-cache.org>
Sent: Sunday, March 02, 2003 10:09 PM
Subject: Re: Join to discuss NTLM Authentication

"Gary Price \(ICT\)" <gprice@bigpond.net.au> writes:

> Hi
> as described in the squid-users list, I have made a change that appears
> to make NTLM auth work. To my surprise in fact. I would like to figure
> out why this actually works. I was planning to go further and establish a
> guaranteed 1-1 connection between client and server connections, but it
> appears not to be necessary.

Could you please add more detail?
I'm in fact very puzzled, the network traces I obtained some time ago
clearly indicated that IE didn't even attempt authenticating if an an NTLM
challenge was issued and it thought it should go through a proxy.

--
kinkie (kinkie-squid [at] kinkie [dot] it)
Random fortune, unrelated to the message:
The problem with the gene pool is that there is no lifeguard.
Received on Sun Mar 02 2003 - 17:28:01 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:23 MST