Univention Bugzilla – Bug 32183
Office 2013 NTLM authentication to squid does not work
Last modified: 2013-11-19 06:44:02 CET
Normally the ntlm authentication works like this
Client send NTLM Type 1
-> Squid asks helper with "YR" about Type 1 message
-> Helper returns Type 2 with "TT" to Squid
-> squid send Type 2 to client
-> Client sends Type 3
-> -> Squid ask helper with "KK" about Type 3 message
But with office2013 it happens that squid send a type 3 message with "YR" (only type 1 is supposed to send with YR)
only type is supposed to send with YR
1375890089.06 - from squid -> YR TlRMTVNTUAADAAAAGAAYAIgAAADuAO4AoAAAAAgACABYAAAAGgAaAGAAAAAOAA4AegAAAAAAAACOAQAABQKIogYBsB0AAAAPY8uMNveNFaVeebKSCApv9EgAQQBOAFMAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBXAEkATgA3AFAAUgBPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAK5svocHxDkQ2IxBu7sA558BAQAAAAAAAMbz4ZKEk84Bxb+KOvo9gMoAAAAAAgAIAEgAQQBOAFMAAQAKAFMATABBAFYARQAEAA4AaABhAG4AcwAuAGQAZQADABoAcwBsAGEAdgBlAC4AaABhAG4AcwAuAGQAZQAIADAAMAAAAAAAAAAAAAAAADAAAKczTFLLoEXB+eGGdSm3/01deJEQ69mIHbiTnXe1j0LKCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvAHMAbABhAHYAZQAuAGgAYQBuAHMALgBkAGUAAAAAAAAAAAA=
T1... is a Type 3 message
This behavior breaks the office2013 ntlm authentication.
I am not sure where the problem is (squid, the helper, office) but is also does not work with the ntlm_auth samba helper.
The attached patch fixes the problem in our squid_ldap_ntlm_auth helper. NTLM type 3 verification is now also supported for "YR" messages.
Created attachment 5359 [details]
Some links how to turn off internet access for office2013
office2013 with squid and kerberos authentication works
Added ntlm type 3 verification for YR messages.
univention-squid: 7.0.1-1.201.201308081101 ucs3.2-0
univention-squid: 6.0.8-5.200.201308081045 errata3.1-1
This was observed at Ticket#: 2013080121004881
Created attachment 5384 [details]
Hmm, somehow I can't get the MS Office2013 registration to work yet. After initial installation and reboot it pops up an authentication dialogue when I start MS Word (as a regular domain user). IE9 squid authentication works fine though. The attached log shows the squid-ntlm-auth debug output logged when starting MS Word until the popup appears.
Created attachment 5385 [details]
squid cache.log about the same time interval at high debug level.
Actually I cannot see the Type 3 message in the initial YR. It looks more like in my test the Windows 7 client (or MS Office 2013) is unhappy with the TT challenge.
tagged for UCS 3.2-0, remove all 3.1-1 changes
svn changed reverted, package deleted from errata3.1-1 and errata YAML
Office tried to open a http connection to "home" with http CONNECT, squid replied with "Authentication Required", office replied with an NTLM 1 message but at this point squid lost interest in this conversation ...
Seems that we need to explicitly activate squid authentication for http CONNECT with:
http_access allow CONNECT AuthorizedUsers
Than ntlm works also for a http CONNECT.
But I had to change the squid template. The acl's and rules were totally mixed up, now acl's are configured first, than all the rules follow. Hope this does not break anything.
* squid authentication based on ntlm
* squid authentication bases on network
* allow local network -> squid/allow/localnet
* Office 2013 authentication works now in registration screen and also for opening help.
* NTLM authentication still works with normal web traffic (Win7/IE9)
* Restructured template is ok, no acl or http_access rule was dropped.
* Network based access rule works.
Additionally the behaviour of squid/allow/localnet=yes has been adjusted/fixed:
1. really allow the local interface networks, and not only the first one.
2. allow acccess to the local networks even in the case where authentication is enabled.
These points are in line with the changes of Bug 25700.
* Changelog Ok.
UCS 3.2 has been released:
If this error occurs again, please use "Clone This Bug".