[prev in list] [next in list] [prev in thread] [next in thread]
List: privoxy-users
Subject: [privoxy-users] [ ijbswa-Support Requests-1760031 ] NTLM proxy
From: "SourceForge.net" <noreply () sourceforge ! net>
Date: 2007-07-25 18:25:21
Message-ID: E1IDlY1-0004DH-DL () sc8-sf-web23 ! sourceforge ! net
[Download RAW message or body]
Support Requests item #1760031, was opened at 2007-07-25 02:57
Message generated for change (Settings changed) made by fabiankeil
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=211118&aid=1760031&group_id=11118
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: other
Group: None
> Status: Deleted
Priority: 5
Private: No
Submitted By: Stephen Worthington (stephen_w)
> Assigned to: Fabian Keil (fabiankeil)
Summary: NTLM proxy authentication does not work
Initial Comment:
Privoxy 3.0.6
Windows XP SP2
SeaMonkey 1.1.2
Internet Explorer 7.0.5730.11
My company (www.provenco.com) is in the process of implementing a new proxy server \
for http connections. The current proxying setup uses a transparent Squid proxy, \
with all port 80 packets being sent to it by the company routers - you do not have to \
set up anything in your browsers. The new setup uses browser settings to send the \
traffic to port 8080 on the proxy server box, and those settings are going to be \
automatically put in place by the group policies under Windows Active Directory. The \
old proxy did not require authentication, but the new one does. Both proxies are \
using the Squid software.
As I want to keep on using Privoxy, I thought I would try it out using the new setup, \
ahead of when everyone is going to be required to use it. I added a forward line to \
config.txt to make Privoxy forward to the new proxy. I know how to do forwarding, as \
I have that working at home where I run my own Squid proxy and have Privoxy set up to \
work through it.
Unfortunately, there are some problems with the proxy authentication using Privoxy \
with the new proxy. If I set up my browsers to use the new proxy directly, they \
work, so I know the new proxy server is working.
SeaMonkey also works when using Privoxy ahead of the new proxy, but it asks first for \
authentication to use the Privoxy proxy, and I have to click "Cancel" on the popup \
box for that question, and then it asks for my user ID and password to authenticate \
with the new company proxy. If I fill in the right details, SeaMonkey is then happy \
until it is shut down again. Looking at the Privoxy logs (with full debug output), I \
can see that SeaMonkey is using "basic" authentication using a realm. I do not know \
why SeaMonkey asks for a login to Privoxy, as it does not need to authenticate to use \
Privoxy. There may be something that Privoxy is doing to the headers that is \
triggering that behaviour, or it may be a SeaMonkey problem. Either way, it is just \
an annoyance, rather than a problem.
With Internet Explorer (and any other programs such as Stardock Central that use the \
Windows "Internet Settings" to talk to the Internet), the authentication does not \
work. The new Squid proxy offers the availability of two authentication methods, \
"basic" and "NTLM" with these headers:
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm="Provenco Proxy Server"
SeaMonkey chooses to use "basic", and that works. IE7 (and the other programs that \
connect the same way) choose to use NTLM, and that fails. From looking at the logs \
and using Ethereal to capture the packets when Privoxy is not being used, I have come \
up with a theory as to what might be going wrong. Privoxy is making changes to the \
headers:
Jul 24 15:08:14 Privoxy(000015f4) Header: crumble crunched: Proxy-Connection: \
Keep-Alive! Jul 24 15:08:14 Privoxy(000015f4) Header: Adding: Connection: close
The effect of these changes is that the connection is closed after each HTTP GET is \
done and the response is received. When Privoxy is not used, IE7 keeps the \
connection open and when it receives a the first response saying that authentication \
is required, it sends its second GET containing the NTLM authentication header using \
the same connection. Subsequent use of that same connection needs no further \
authentication. So it looks as though keeping the connection open is a requirement \
for NTLM authentication.
So, does anyone know any more about this? Will Privoxy be able to support NTLM \
authentication in the future? I took a quick look at the Privoxy source code (3.0.6 \
and current CVS), and it seems that closing the connection is necessary for Privoxy \
to work at present.
I also had an idea about how to fix my problem in the short term - if I could get \
Privoxy to remove the header that offers NTLM authentication, maybe IE7 would then \
use "basic" authentication. Is there a way to do that, with a filter maybe, or do I \
need to make a source code change to try it? I would need the filter to work on all \
web pages. I had a go to try to get a filter to do that, but I could not get it to \
work - it seemed to not be filtering the headers.
----------------------------------------------------------------------
Comment By: Stephen Worthington (stephen_w)
Date: 2007-07-25 03:03
Message:
Logged In: YES
user_id=1726722
Originator: YES
Oops, I pushed the wrong button on my browser and managed to create a
duplicate - please delete this one.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=211118&aid=1760031&group_id=11118
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Ijbswa-users mailing list
Ijbswa-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ijbswa-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic