1
  • We use squid as a HTTP proxy (if needed I can modify it's configuration).
  • We want to access a website that uses ntlm for authentication
  • When we go on the website through squid we see a blank page
  • When we go the website through a DSL box, we see an authentication popup (desired result)

I don't know much about NTLM ... deranged imagination ... crappy protolol ... grmbl grmbl :D :D :D

This thread says it can't be done : http://www.squid-cache.org/mail-archive/squid-users/200708/0578.html

Are there any guru who can provide a solution or a workaround?

Here's telnet output on port 80 for the desired website :

Trying 111.222.333.444...
Connected to www.extranet-example.com (111.222.333.444).
Escape character is '^]'.
GET /index.htm HTTP/1.1
host: www.extranet-example.com

HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/7.5
SPRequestGuid: 2764478a-b14a-4541-9110-27ebf4281e84
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 14.0.0.4762
Date: Mon, 25 Nov 2013 14:25:26 GMT
Content-Length:
0

Bonus : We use 2 chained proxy (squid-2.6 rhel5) servers

Edit : Using NTLM to do squid authentication is not what we are trying to achieve.

Edit 2 : The website we try to reach is outside our company, outside of our network. In fact it is a public website with a public IP. If I exclude this website from proxy configuration, it won't work because our workstation have no route to the internet nor direct connection.

GomoX
  • 796
  • 3
  • 8
  • 21
  • http://www.cyberciti.biz/faq/squid-ntlm-authentication-configuration-howto/ – user9517 Dec 05 '13 at 10:24
  • It seems this website covers how to use ntlm for squid authentication and this is not my question at all. –  Dec 05 '13 at 10:41
  • I contacted the website administrator and they are digging the problem on their side too. –  Dec 16 '13 at 08:36

2 Answers2

5

NTLM is connection orientated and since there's no direct connection between you and the webserver when you use the proxy, so NTLM fails. (There's a connection between you and the proxy and a second connection between the proxy and the website.)

If you can't upgrade to for example Kerberos auth your best bet is to add the webserver to the proxy exclude list in your client configuration (PAC file?). Typically internal servers on the corporate intranet (which is where you'd expect NTLM auth) are excluded from the proxy for this reason and clients connect directly.

EDIT

Apparently there's an option in Squid for NTLM passthough authentication: Connection Pinning. Available from Squid version 2.6 and up and 3.1 and up. 

http_port ... connection-auth[=on|off]
https_port ... connection-auth[=on|off]
HBruijn
  • 77,029
  • 24
  • 135
  • 201
  • This, you need a TCP proxy to get NTLM over a proxy. – GomoX Dec 05 '13 at 12:53
  • I can't upgrade to kerberos since the website we have to use is not our website, nor it is part of our company. –  Dec 05 '13 at 13:52
  • Gave more details about the problem inside the question –  Dec 05 '13 at 13:55
  • Added the info on NTLM passthough authentication support in Squid 2.6/3.1 and up to my earlier answer. – HBruijn Dec 05 '13 at 14:49
  • Looks like exactly what the OP needed. – GomoX Dec 05 '13 at 14:50
  • +1 Has anyone ever used this feature in production? Does is work with NTLMv2? Chained proxies? –  Dec 05 '13 at 15:07
  • It doesn't seem like NTLM vs NTLMv2 would make a difference. – mfinni Dec 05 '13 at 21:00
  • It should work over chained proxies as it's just doing a TCP socket passthrough. It will create a ton of connections though as the nature of NTLM auth needs an open socket for each client (hence normal proxying doesn't work). – GomoX Jan 10 '14 at 15:42
2

Based on the information provided, I don't think you can create a workaround to use NTLM over Squid over the Internet without going "outside the box" somehow.

A possible suggestion would be using HAproxy (which does TCP reverse proxying) to create a local URL in your network that pipes requests to the site on the other end. If you have to go through 2 different hops (i.e the 2 machines running Squid) then you would have to set up two instances.

Configuration would be something on the lines of:

listen localsite 0.0.0.0:80
    mode tcp
    balance roundrobin
    option  tcplog

    server upstream1 1.2.3.4:80

While you do have to run a separate application, HAproxy is super painless (install a single package, 10 line config file, pretty much 0 configuration, 0 maintenance).

The other option would be to modify the system's configuration to enable some sort of SSO, and then use a local NTLM authenticator to initiate the sessions to the upstream system. This might imply development and changes to the system.

I don't think I have ever seen NTLM used over the Internet though, it's generally used in LANs. Maybe if you expand on the situation we can suggest an alternative strategy.

GomoX
  • 796
  • 3
  • 8
  • 21