Ah OK sorry I am curious why you have a reason to use NTLM over Kerberos? :-)
-----Original Message----- From: Rafael Akchurin [mailto:rafael.akchu...@diladele.com] Sent: 09 March 2017 18:01 To: Mike Surcouf Cc: Amos Jeffries; squid-users@lists.squid-cache.org Subject: Re: [squid-users] microsoft edge and proxy auth not working Hello Mike, I specifically was debugging our NTLM implementation with Edge :) Kerberos works just fine, you are correct. Best regards, Rafael Akchurin > Op 9 mrt. 2017 om 18:57 heeft Mike Surcouf <mi...@surcouf.co.uk> het volgende > geschreven: > > Hi Rafael > > Is there any reason you can't use Kerberos. > Note you will need to create a keytab but the setup is not that hard and in > the docs. > I use it very successfully on window AD network. > > auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth > auth_param negotiate children 20 > auth_param negotiate keep_alive on > > Thanks > > Mike > > -----Original Message----- > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] > On Behalf Of Rafael Akchurin > Sent: 09 March 2017 17:01 > To: Amos Jeffries; squid-users@lists.squid-cache.org > Subject: Re: [squid-users] microsoft edge and proxy auth not working > > Hello Amos, Markus, all, > > Just as a side note - I also suffered from this error sometime before with > Edge and our custom NTLM relay to domain controllers (run as auth helper by > Squid). The strange thing it went away after installing some (unknown) > Windows update. > > I do have the "auth_param ntlm keep_alive off" in the config though. > > It all makes me quite suspicious the error was/is in Edge or in my curly > hands. > > Best regards, > Rafael Akchurin > Diladele B.V. > > -----Original Message----- > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] > On Behalf Of Amos Jeffries > Sent: Thursday, March 9, 2017 5:12 PM > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] microsoft edge and proxy auth not working > > On 8/03/2017 11:28 p.m., Rietzler, Markus (RZF, Aufg 324 / > <RIETZLER_SOFTWARE>) wrote: >> i should add that we are using squid 3.5.24. >> > > Try with "auth_param ntlm keep_alive off". Recently the browsers have been > needing that. > > Though frankly I am surprised if Edge supports NTLM at all. It was deprecated > in April 2006 and MS announced removal was being actively pushed in all thier > software since Win7. > >> >>> -----Ursprüngliche Nachricht----- >>> Von: Rietzler, Markus >>> >>> we have some windows 10 clients using microsoft edge browser. >>> access to internet is only allowed for authenticated users. we are >>> using samba/winbind auth >>> >>> auth_param ntlm program /usr/bin/ntlm_auth >>> --helper-protocol=squid-2.5- ntlmssp auth_param ntlm children 64 >>> startup=24 idle=12 auth_param ntlm keep_alive on acl auth_user >>> proxy_auth REQUIRED >>> >>> on windows 10 clients with IE11 it is working (with ntlm automatic >>> auth) on the same machine, with Microsoft edge I get TCP_Denied/407 message. >>> seems I only get one single TCP_DENIED/407 line in accesslog and an >>> auth dialog pops up. I have disabled basic auth via ntlm. >>> shouldn't there be 3 lines for proxy auth? with IE11 I see those >>> three lines (2x TCP_DENIED/407 and 1x TCP_MISS/200), no popup at all. > > Not specifically. There should be 1+ for NTLM. Success with NTLM shows > 2+. Failure shows 1 or 3 or infinite loop (hello Safari and Firefox 30-ish). > > >>> >>> winbind/samba itself seems to work, as I can do an user auth against >>> apache with winbind/samba - even over some squid proxies with >>> connection-auth allowed. but not for proxy-auth. >>> is there any option in squid.conf which prevents Edge to do a >>> successful auth? > > If other software succeeds then the only thing that might be related is the > keep-alive option mentioned above. Otherwise the problem is in Edge itself. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
