[squid-users] Problems with Vista and Internet Explorer - NTLM Auth

From: Carlos Martínez-Troncoso C. <cmartinez_at_uninorte.edu.co>
Date: Tue, 29 Jul 2008 11:59:26 -0500

Hello Squid gurus.

Our proxy service was working very good until the last week when we
received reports about some students couldn’t use the wireless LAN. In
our network, if you are using wired LAN you can use the proxy without
password, if you use the wireless, Squid prompts for a user/password
(NTLM). The problem occurs with Windows Vista and Explorer 7. If you
tried to surf there is no prompt for user password and you received the
page error
"Cache Use Denied", in the access.log shows TCP DENIED, if you try in
the same computer with Firefox, works without problems.

If you use Firefox with Vista or another operative system, or Explorer
with XP, 2000, etc, everything is alright. The only problem is the mix,
Windows Vista with Explorer 7.

We were using Squid 2.6.17-1 with NTLM Auth (winbind, Samba 3.025b-1-14)
in CentOS 5.2. Now we upgraded to Squid 3.0.7-1 (from Fedora´s src rpm)
but the problem is the same. Before the problem we didn´t change
anything. I just erased these lines from my squid.conf after the problem
but the situation is the same:

    auth_param basic program /usr/bin/ntlm_auth
    --helper-protocol=squid-2.5-basic -d=5
    auth_param basic children 30
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 2 hours

Do you have any report about problems with Vista and Explorer (maybe a
new patch)?

I didn´t find anything in the forum or Google. What kind of test can I do?

Now I am installing Windows Vista in a notebook for test (we don´t like
that "operative system" but our students like it) when the endless setup
finished I will look the packets with a sniffer, another idea?

This is my SQUID.CONF (I erased some acls because the file is very long):

http_port 172.17.3.10:8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 64 MB
cache_dir ufs /cache 6000 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
half_closed_clients off
quick_abort_min 0
quick_abort_max 0
pipeline_prefetch off
ftp_user anonymous_at_uninorte.edu.co

#WLAN Auth
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

# ACCESS CONTROLS
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 2083 2443 8443 445 3144 4050 4444
acl Safe_ports port 80 81 21 443 563 70 210 1025-65535
acl puerto_bloqueado port 1863 #Messenger bloqueado 16Feb2005
acl CONNECT method CONNECT

#No guarde en cache sitios dinamicos
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

# Deny requests to unknown ports
http_access deny puerto_bloqueado
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

http_access allow PURGE localhost
http_access deny PURGE

#Sitios prohibidos
acl prohibido dstdomain "/etc/squid/sitios-prohibidos"
http_access allow carlos prohibido
http_access deny prohibido

#Autenticacion para WLAN
acl wlan src "/etc/squid/ips-wlan"
acl password proxy_auth REQUIRED
http_access allow wlan password

#Bloquear acceso de vlans estudiantes
acl permitidos src "/etc/squid/permitidos"
http_access allow permitidos

http_access allow localhost
http_access deny all

http_reply_access allow all

icp_access deny all

cache_mgr admin_at_uninorte.edu.co

cache_effective_user squid
cache_effective_group squid
visible_hostname cipres
logfile_rotate 365

Thanks in advance. Sorry for my bad English.

-- 
Ing. Carlos Martínez-Troncoso Cera
Administrador de Servicios Internet y Correo Institucional
Universidad del Norte - www.uninorte.edu.co
Tel: 57 5 3509367
Barranquilla, Colombia
Received on Tue Jul 29 2008 - 16:59:35 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 31 2008 - 12:00:05 MDT