Bug 32183 - Office 2013 NTLM authentication to squid does not work
Office 2013 NTLM authentication to squid does not work
Product: UCS
Classification: Unclassified
Component: Squid
UCS 3.1
Other Linux
: P5 normal (vote)
: UCS 3.2
Assigned To: Felix Botner
Arvid Requate
: interim-3
Depends on:
  Show dependency treegraph
Reported: 2013-08-07 17:56 CEST by Felix Botner
Modified: 2013-11-19 06:44 CET (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

squid_ldap_ntlm_auth.patch (1.45 KB, patch)
2013-08-07 17:57 CEST, Felix Botner
Details | Diff
squid-ntlm-auth.log (8.16 KB, text/plain)
2013-08-20 17:59 CEST, Arvid Requate
cache.log (31.10 KB, text/plain)
2013-08-20 18:00 CEST, Arvid Requate

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2013-08-07 17:56:36 CEST
Normally the ntlm authentication works like this

Client send NTLM Type 1 
  -> Squid asks helper with "YR" about Type 1 message
    -> Helper returns Type 2 with "TT" to Squid
      -> squid send Type 2 to client
        -> Client sends Type 3
          -> -> Squid ask helper with "KK" about Type 3 message

But with office2013 it happens that squid send a type 3 message with "YR" (only type 1 is supposed to send with YR)

only type is supposed to send with YR


T1... is a Type 3 message

This behavior breaks the office2013 ntlm authentication.

I am not sure where the problem is (squid, the helper, office) but is also does not work with the ntlm_auth samba helper.

The attached patch fixes the problem in our squid_ldap_ntlm_auth helper. NTLM type 3 verification is now also supported for "YR" messages.
Comment 1 Felix Botner univentionstaff 2013-08-07 17:57:34 CEST
Created attachment 5359 [details]
Comment 3 Felix Botner univentionstaff 2013-08-08 09:49:16 CEST
office2013 with squid and kerberos authentication works
Comment 4 Felix Botner univentionstaff 2013-08-08 11:05:35 CEST
Added ntlm type 3 verification for YR messages.

univention-squid: 7.0.1-1.201.201308081101 ucs3.2-0

univention-squid: 6.0.8-5.200.201308081045 errata3.1-1

YAML: 2013-08-08-univention-squid.yaml
Comment 5 Janis Meybohm univentionstaff 2013-08-20 17:07:27 CEST
This was observed at Ticket#: 2013080121004881
Comment 6 Arvid Requate univentionstaff 2013-08-20 17:59:09 CEST
Created attachment 5384 [details]

Hmm, somehow I can't get the MS Office2013 registration to work yet. After initial installation and reboot it pops up an authentication dialogue when I start MS Word (as a regular domain user). IE9 squid authentication works fine though. The attached log shows the squid-ntlm-auth debug output logged when starting MS Word until the popup appears.
Comment 7 Arvid Requate univentionstaff 2013-08-20 18:00:18 CEST
Created attachment 5385 [details]

squid cache.log about the same time interval at high debug level.
Comment 8 Arvid Requate univentionstaff 2013-08-20 18:02:47 CEST
Actually I cannot see the Type 3 message in the initial YR. It looks more like in my test the Windows 7 client (or MS Office 2013) is unhappy with the TT challenge.
Comment 9 Felix Botner univentionstaff 2013-10-30 16:53:06 CET
tagged for UCS 3.2-0, remove all 3.1-1 changes
Comment 10 Felix Botner univentionstaff 2013-10-30 17:03:09 CET
svn changed reverted, package deleted from errata3.1-1 and errata YAML
Comment 11 Felix Botner univentionstaff 2013-10-31 11:17:00 CET
Office tried to open a http connection to "home" with http CONNECT, squid replied with "Authentication Required", office replied with an NTLM 1 message but at this point squid lost interest in this conversation ...

Seems that we need to explicitly activate squid authentication for http CONNECT with:
  http_access allow CONNECT AuthorizedUsers

Than ntlm works also for a http CONNECT.

But I had to change the squid template. The acl's and rules were totally mixed up, now acl's are configured first, than all the rules follow. Hope this does not break anything.


* squid authentication based on ntlm
* squid authentication bases on network
* allow local network -> squid/allow/localnet 
Comment 12 Arvid Requate univentionstaff 2013-10-31 16:26:10 CET

* Office 2013 authentication works now in registration screen and also for opening help.

* NTLM authentication still works with normal web traffic (Win7/IE9)

* Restructured template is ok, no acl or http_access rule was dropped.

* Network based access rule works.

Additionally the behaviour of squid/allow/localnet=yes has been adjusted/fixed:
1. really allow the local interface networks, and not only the first one.
2. allow acccess to the local networks even in the case where authentication is enabled.

These points are in line with the changes of Bug 25700.

* Changelog Ok.
Comment 13 Stefan Gohmann univentionstaff 2013-11-19 06:44:02 CET
UCS 3.2 has been released:

If this error occurs again, please use "Clone This Bug".