'[privoxy-users] [ ijbswa-Support Requests-1760031 ] NTLM proxy'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       privoxy-users
Subject:    [privoxy-users] [ ijbswa-Support Requests-1760031 ] NTLM proxy
From:       "SourceForge.net" <noreply () sourceforge ! net>
Date:       2007-07-25 18:25:21
Message-ID: E1IDlY1-0004DH-DL () sc8-sf-web23 ! sourceforge ! net
[Download RAW message or body]

Support Requests item #1760031, was opened at 2007-07-25 02:57
Message generated for change (Settings changed) made by fabiankeil
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=211118&aid=1760031&group_id=11118

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: other
Group: None
> Status: Deleted
Priority: 5
Private: No
Submitted By: Stephen Worthington (stephen_w)
> Assigned to: Fabian Keil (fabiankeil)
Summary: NTLM proxy authentication does not work

Initial Comment:
Privoxy 3.0.6
Windows XP SP2
SeaMonkey 1.1.2
Internet Explorer 7.0.5730.11

My company (www.provenco.com) is in the process of implementing a new proxy server \
for http connections.  The current proxying setup uses a transparent Squid proxy, \
with all port 80 packets being sent to it by the company routers - you do not have to \
set up anything in your browsers.  The new setup uses browser settings to send the \
traffic to port 8080 on the proxy server box, and those settings are going to be \
automatically put in place by the group policies under Windows Active Directory.  The \
old proxy did not require authentication, but the new one does.  Both proxies are \
using the Squid software.

As I want to keep on using Privoxy, I thought I would try it out using the new setup, \
ahead of when everyone is going to be required to use it.  I added a forward line to \
config.txt to make Privoxy forward to the new proxy.  I know how to do forwarding, as \
I have that working at home where I run my own Squid proxy and have Privoxy set up to \
work through it.

Unfortunately, there are some problems with the proxy authentication using Privoxy \
with the new proxy.  If I set up my browsers to use the new proxy directly, they \
work, so I know the new proxy server is working.

SeaMonkey also works when using Privoxy ahead of the new proxy, but it asks first for \
authentication to use the Privoxy proxy, and I have to click "Cancel" on the popup \
box for that question, and then it asks for my user ID and password to authenticate \
with the new company proxy.  If I fill in the right details, SeaMonkey is then happy \
until it is shut down again.  Looking at the Privoxy logs (with full debug output), I \
can see that SeaMonkey is using "basic" authentication using a realm.  I do not know \
why SeaMonkey asks for a login to Privoxy, as it does not need to authenticate to use \
Privoxy.  There may be something that Privoxy is doing to the headers that is \
triggering that behaviour, or it may be a SeaMonkey problem.  Either way, it is just \
an annoyance, rather than a problem.

With Internet Explorer (and any other programs such as Stardock Central that use the \
Windows "Internet Settings" to talk to the Internet), the authentication does  not \
work.  The new Squid proxy offers the availability of two authentication methods, \
"basic" and "NTLM" with these headers:

  Proxy-Authenticate: NTLM
  Proxy-Authenticate: Basic realm="Provenco Proxy Server"

SeaMonkey chooses to use "basic", and that works.  IE7 (and the other programs that \
connect the same way) choose to use NTLM, and that fails.  From looking at the logs \
and using Ethereal to capture the packets when Privoxy is not being used, I have come \
up with a theory as to what might be going wrong.  Privoxy is making changes to the \
headers:

  Jul 24 15:08:14 Privoxy(000015f4) Header: crumble crunched: Proxy-Connection: \
Keep-Alive!  Jul 24 15:08:14 Privoxy(000015f4) Header: Adding: Connection: close

The effect of these changes is that the connection is closed after each HTTP GET is \
done and the response is received.  When Privoxy is not used, IE7 keeps the \
connection open and when it receives a the first response saying that authentication \
is required, it sends its second GET containing the NTLM authentication header using \
the same connection.  Subsequent use of that same connection needs no further \
authentication.  So it looks as though keeping the connection open is a requirement \
for NTLM authentication.

So, does anyone know any more about this?  Will Privoxy be able to support NTLM \
authentication in the future?  I took a quick look at the Privoxy source code (3.0.6 \
and current CVS), and it seems that closing the connection is necessary for Privoxy \
to work at present.

I also had an idea about how to fix my problem in the short term - if I could get \
Privoxy to remove the header that offers NTLM authentication, maybe IE7 would then \
use "basic" authentication.  Is there a way to do that, with a filter maybe, or do I \
need to make a source code change to try it?  I would need the filter to work on all \
web pages.  I had a go to try to get a filter to do that, but I could not get it to \
work - it seemed to not be filtering the headers.

----------------------------------------------------------------------

Comment By: Stephen Worthington (stephen_w)
Date: 2007-07-25 03:03

Message:
Logged In: YES 
user_id=1726722
Originator: YES

Oops, I pushed the wrong button on my browser and managed to create a
duplicate - please delete this one.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=211118&aid=1760031&group_id=11118

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Ijbswa-users mailing list
Ijbswa-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ijbswa-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic