Pb with Microsoft Integrated Login and Squid 3.1

> Hi,
>
> I have upgraded our squid from 2.5 stable6  to 3.1.0.14 . This because
> many remote web servers  want Microsoft  connection oriented
> authentication and I 'have seen  that  squid 2.5 doesn't  forward that
> kind of authentication. .
>
> Now using squid  3.1, my users can connect such  web servers  but there
> is still an issue..
>
> From time to time  , when uploading a file , users  get a blank page and
> message "Request not yet fully sent" can be  seen in cache.log file.
>
> Sniffing this (sniffer between proxy  and web servers) I can see that,
> from time to time, servers are going on sending authentication requests
> although the user has been already authenticated (is it a normal
> behaviour ?).

> Hi,
>
> I have upgraded our squid from 2.5 stable6  to 3.1.0.14 . This because
> many remote web servers  want Microsoft  connection oriented
> authentication and I 'have seen  that  squid 2.5 doesn't  forward that
> kind of authentication. .
>
> Now using squid  3.1, my users can connect such  web servers  but there
> is still an issue..
>
> From time to time  , when uploading a file , users  get a blank page and
> message "Request not yet fully sent" can be  seen in cache.log file.
>
> Sniffing this (sniffer between proxy  and web servers) I can see that,
> from time to time, servers are going on sending authentication requests
> although the user has been already authenticated (is it a normal
> behaviour ?).

>
> -----Message d'origine-----
> De : NOGUES Jean-Marc (EURIWARE)
> Envoyé : mardi 3 novembre 2009 10:36
> À : 'Amos Jeffries'
> Objet : RE: [squid-users] Pb with Microsoft Integrated Login and Squid 3.1
>
> Hi Amos,
>
> All clients have :
> Windows XP SP2
> and IE 6.0.2900.2180_xpsp_sp2_gdr.070227-2254 crypt=128 bits
>
> At the bottom  of the trace joined we can see an incoming "HTTP/1.1 401 Unauthorized"and then the  rest of the  upload previously initiated  by the client.  
>
> ( Sorry but, for security reasons I had to to extract a .txt
>  file from the original Winshark trace.
> - tell if you need more  )
> regards,
>
> Jm Nogues
>
>
>
> -----Message d'origine-----
> De : Amos Jeffries [mailto:squid3@...]
> Envoyé : mardi 3 novembre 2009 05:54
> À : NOGUES Jean-Marc (EURIWARE)
> Cc : squid-users@...
> Objet : Re: [squid-users] Pb with Microsoft Integrated Login and Squid 3.1
>
> NOGUES Jean-Marc (EURIWARE) wrote:
>> Hi,
>>
>> I have upgraded our squid from 2.5 stable6  to 3.1.0.14 . This because
>> many remote web servers  want Microsoft  connection oriented
>> authentication and I 'have seen  that  squid 2.5 doesn't  forward that
>> kind of authentication. .
>>
>> Now using squid  3.1, my users can connect such  web servers  but there
>> is still an issue..
>>
>> From time to time  , when uploading a file , users  get a blank page and
>> message "Request not yet fully sent" can be  seen in cache.log file.
>>
>> Sniffing this (sniffer between proxy  and web servers) I can see that,
>> from time to time, servers are going on sending authentication requests
>> although the user has been already authenticated (is it a normal
>> behaviour ?).
>
> Yes this is _usually_ normal.  HTTP being stateless the auth details
> need to be sent on every request, or the client will be re-challenged.
>
> I say "usually normal", because the client software should be aware of
> that requirement and send the auth for as many requests as needed in the
> session.
>
> What is NOT normal here is seeing repeated series of missing-auth
> requests followed by auth request from the same clients. This is a sign
> of either client software breakage, NAT, or missing keep-alive data in
> the requests. Persistent connections, aka keep-alive, is REQUIRED on
> both the client and server connections for NTLM based auth along with
> connection pinning to force stateless HTTP into stateful behavior
> between the client and server.
>
>> So sometimes it happens that Squid receives an authentication request as
>> it is  still  sending upload data to the  server.
>> This stops the upload  and produces the message seen in cache.log
>
> Looks like you have hit a bug. Possibly the one people are struggling
> with at present where a connections auth credentials are dropped
> mid-session.
>
> Can you supply any more detailed trace of whats going on please?
>
> Amos

>
> -----Message d'origine-----
> De : NOGUES Jean-Marc (EURIWARE)
> Envoyé : mardi 3 novembre 2009 10:36
> À : 'Amos Jeffries'
> Objet : RE: [squid-users] Pb with Microsoft Integrated Login and Squid 3.1
>
> Hi Amos,
>
> All clients have :
> Windows XP SP2
> and IE 6.0.2900.2180_xpsp_sp2_gdr.070227-2254 crypt=128 bits
>
> At the bottom  of the trace joined we can see an incoming "HTTP/1.1 401 Unauthorized"and then the  rest of the  upload previously initiated  by the client.  
>
> ( Sorry but, for security reasons I had to to extract a .txt
>  file from the original Winshark trace.
> - tell if you need more  )
> regards,
>
> Jm Nogues
>
>
>
> -----Message d'origine-----
> De : Amos Jeffries [mailto:squid3@...]
> Envoyé : mardi 3 novembre 2009 05:54
> À : NOGUES Jean-Marc (EURIWARE)
> Cc : squid-users@...
> Objet : Re: [squid-users] Pb with Microsoft Integrated Login and Squid 3.1
>
> NOGUES Jean-Marc (EURIWARE) wrote:
>> Hi,
>>
>> I have upgraded our squid from 2.5 stable6  to 3.1.0.14 . This because
>> many remote web servers  want Microsoft  connection oriented
>> authentication and I 'have seen  that  squid 2.5 doesn't  forward that
>> kind of authentication. .
>>
>> Now using squid  3.1, my users can connect such  web servers  but there
>> is still an issue..
>>
>> From time to time  , when uploading a file , users  get a blank page and
>> message "Request not yet fully sent" can be  seen in cache.log file.
>>
>> Sniffing this (sniffer between proxy  and web servers) I can see that,
>> from time to time, servers are going on sending authentication requests
>> although the user has been already authenticated (is it a normal
>> behaviour ?).
>
> Yes this is _usually_ normal.  HTTP being stateless the auth details
> need to be sent on every request, or the client will be re-challenged.
>
> I say "usually normal", because the client software should be aware of
> that requirement and send the auth for as many requests as needed in the
> session.
>
> What is NOT normal here is seeing repeated series of missing-auth
> requests followed by auth request from the same clients. This is a sign
> of either client software breakage, NAT, or missing keep-alive data in
> the requests. Persistent connections, aka keep-alive, is REQUIRED on
> both the client and server connections for NTLM based auth along with
> connection pinning to force stateless HTTP into stateful behavior
> between the client and server.
>
>> So sometimes it happens that Squid receives an authentication request as
>> it is  still  sending upload data to the  server.
>> This stops the upload  and produces the message seen in cache.log
>
> Looks like you have hit a bug. Possibly the one people are struggling
> with at present where a connections auth credentials are dropped
> mid-session.
>
> Can you supply any more detailed trace of whats going on please?
>
> Amos

> Hi,
>
> I have managed to make the clients connect directly the web server (so no proxy in the middle ..)
>
> What I am seing in the same session is this :(according that  by "auth-missing" you mean an "HTTP 401 Unauthorized" ?)
>
> CLIENT: request (post)
> WEB: 401 auth-missing (Negociate)
> CLIENT: request (post) +auth (Negociate) +keepalive
> WEB: 200 Okay
> CLIENT: request (post) + keepalive
> WEB: 401 auth-missing (Negociate)
> CLIENT: request (post) +auth+ (Negociate) +  keepalive
> WEB: 200 Okay
> CLIENT: request (post) + keepalive
> WEB: 401 auth-missing (Negociate)
>  
> .. and so on ..

>
> - The remote site is here a Publigen site , but this pb generally occurs with Sharepoint sites which also require Integrated Authentication .
>
> - So user data has to be sent twice ( not very good for the bandwith ... )  
> - Value of Authorisation header is "Negociate" (Kerberos I presume ..)
>
> I will try soon with another browser than IE .
> (actually all browsers  are and IE 6.0.2900.2180_xpsp_sp2_gdr.070227-2254 crypt=128 bits
>
> Regards,
>
> Jm Nogues
>

>
> -----Message d'origine-----
> De : Amos Jeffries [mailto:squid3@...]
> Envoyé : jeudi 5 novembre 2009 05:27
> Cc : squid-users@...
> Objet : Re: [squid-users] Pb with Microsoft Integrated Login and Squid 3.1
>
> NOGUES Jean-Marc (EURIWARE) wrote:
>> Hi,
>>
>>> I say "usually normal", because the client software should be aware of
>>> that requirement and send the auth for as many requests as needed in the  > session.
>> Sniffing between Squid and clients shows that clients never send auth data within further requests in the session.
>
> Strange. Smells like broken client software.
>
>  > Clients  only send auth data just after  receiving an "HTTP/1.1 401
> Unauthorized" from the remote web server.
>
>
> What you should be seeing is series of patterns like this:
>
> CLIENT: request
> WEB: 401 auth-missing
> CLIENT: request+auth+keepalive
> WEB: 200 Okay
> CLIENT: request+auth+keepalive
> WEB: 200 Okay
> CLIENT: request+auth+keepalive
> WEB: 200 Okay
> CLIENT: request+auth+close
> WEB: 200 Okay
>
> ... some time later (after browser closed and restarted for second session).
>
> CLIENT: request
> WEB: 401 auth-missing
> CLIENT: request+auth+keepalive
> WEB: 200 Okay
> CLIENT: request+auth+close
> WEB: 200 Okay
>
>
> Amos
>
>> -----Message d'origine-----
>> De : NOGUES Jean-Marc (EURIWARE)
>> Envoyé : mardi 3 novembre 2009 10:36
>> À : 'Amos Jeffries'
>> Objet : RE: [squid-users] Pb with Microsoft Integrated Login and Squid 3.1
>>
>> Hi Amos,
>>
>> All clients have :
>> Windows XP SP2
>> and IE 6.0.2900.2180_xpsp_sp2_gdr.070227-2254 crypt=128 bits
>>
>> At the bottom  of the trace joined we can see an incoming "HTTP/1.1 401 Unauthorized"and then the  rest of the  upload previously initiated  by the client.  
>>
>> ( Sorry but, for security reasons I had to to extract a .txt
>>  file from the original Winshark trace.
>> - tell if you need more  )
>> regards,
>>
>> Jm Nogues
>>
>>
>>
>> -----Message d'origine-----
>> De : Amos Jeffries [mailto:squid3@...]
>> Envoyé : mardi 3 novembre 2009 05:54
>> À : NOGUES Jean-Marc (EURIWARE)
>> Cc : squid-users@...
>> Objet : Re: [squid-users] Pb with Microsoft Integrated Login and Squid 3.1
>>
>> NOGUES Jean-Marc (EURIWARE) wrote:
>>> Hi,
>>>
>>> I have upgraded our squid from 2.5 stable6  to 3.1.0.14 . This because
>>> many remote web servers  want Microsoft  connection oriented
>>> authentication and I 'have seen  that  squid 2.5 doesn't  forward that
>>> kind of authentication. .
>>>
>>> Now using squid  3.1, my users can connect such  web servers  but there
>>> is still an issue..
>>>
>>> From time to time  , when uploading a file , users  get a blank page and
>>> message "Request not yet fully sent" can be  seen in cache.log file.
>>>
>>> Sniffing this (sniffer between proxy  and web servers) I can see that,
>>> from time to time, servers are going on sending authentication requests
>>> although the user has been already authenticated (is it a normal
>>> behaviour ?).
>> Yes this is _usually_ normal.  HTTP being stateless the auth details
>> need to be sent on every request, or the client will be re-challenged.
>>
>> I say "usually normal", because the client software should be aware of
>> that requirement and send the auth for as many requests as needed in the
>> session.
>>
>> What is NOT normal here is seeing repeated series of missing-auth
>> requests followed by auth request from the same clients. This is a sign
>> of either client software breakage, NAT, or missing keep-alive data in
>> the requests. Persistent connections, aka keep-alive, is REQUIRED on
>> both the client and server connections for NTLM based auth along with
>> connection pinning to force stateless HTTP into stateful behavior
>> between the client and server.
>>
>>> So sometimes it happens that Squid receives an authentication request as
>>> it is  still  sending upload data to the  server.
>>> This stops the upload  and produces the message seen in cache.log
>> Looks like you have hit a bug. Possibly the one people are struggling
>> with at present where a connections auth credentials are dropped
>> mid-session.
>>
>> Can you supply any more detailed trace of whats going on please?
>>
>> Amos
>
>