Solved

FTP, chrome and SQUID - incompatible

Posted on 2014-01-24
24
1,300 Views
Last Modified: 2014-02-04
Hi chrome experts.

I am looking for a real SQUID expert that has the following constellation working:
Chrome (current version) together with a SQUID proxy (current version) with NTLM authentication on a windows domain, accessing FTP sites with authentication. It does not work for me, chrome says:
Sorry, you are not currently allowed to request ftp://ftp.xyz.com/ from this cache until you have authenticated yourself.

This seems to be a bug, but the chromium developers are hesitating to even acknowledge it. https://code.google.com/p/chromium/issues/detail?id=328066

What works for me is the same constellation with any version of Internet Explorer.
Did anyone get it to work maybe by tuning SQUID?
0
Comment
Question by:McKnife
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 8
  • 5
24 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 39806934
I looked at the link you provided and from their response this is not a bug, but a method of authentication that Chrome does not support.

For now Chrome has decided not to support doing NLTM/Kerberos for FTP sites.
0
 
LVL 55

Author Comment

by:McKnife
ID: 39806953
Hi.
Sorry, what response are you talking about?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39807004
I was assuming that the comment that start "Chrome when using FTP only supports basic auth. "

Was their response.  If it was not then I apologize.  However,  I have done quite a bit dealing with FTP (standard, SSL'ed FTP, and sftp).

Normally FTP (standard) passes user-id and password in clear text.  So it does not surprise me that a FTP client does not support  using NTLM as an authentication method.
0
Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

 
LVL 55

Author Comment

by:McKnife
ID: 39807074
Both firefox and IE work with NTLM. Only chrome does not like it.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39807243
Is the NTLM to the ftp server or the Proxy server?

The prompt looks like the proxy server is wanting the user to authenticate.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39807287
I found this OLD bug issue with Chrome that deals with Chrome and NTLM authentication with Squid:

http://code.google.com/p/chromium/issues/detail?id=8771

It this case Squid was not doing something.  I'm not sure if in your case Squid is doing something and Chrome is not responding correct.
0
 
LVL 55

Author Comment

by:McKnife
ID: 39807311
Thanks, but I would like someone to answer who uses the same softwares. Everything else is speculation.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39807387
It should be easy enough to do a packet capture to make sure that Squid is sending the correct header information back to Chrome.

I'll need to setup Squid in a isolated environment, but I did use Chrome to successfully connect to a server that is doing Windows Integrated authentication.

The HTTP 401 message coming back from the server contains both Negotiate and NTLM WWW-Authenticate headers.
0
 
LVL 62

Expert Comment

by:gheist
ID: 39808525
FTP sites with authentication? Which authentication FTP sites use?
0
 
LVL 55

Author Comment

by:McKnife
ID: 39808721
Let me clarify: I tried to find someone who already has that combination of proxy, browser and authentication running. Although surely possible, I am not looking for a way to analyze it.

So let me add the request to participate only if you use that very combination yourself and you can successfully access addresses of the type
ftp://user:password@ftp.domain.com
0
 
LVL 62

Expert Comment

by:gheist
ID: 39808733
If remote site uses NTLM authentication that does not work with firefox too...
0
 
LVL 55

Author Comment

by:McKnife
ID: 39808748
That's not what I am talking about. Our own proxy uses NTLM authentication, not the ftp server.
0
 
LVL 62

Expert Comment

by:gheist
ID: 39808763
Aparently nobody tried here...
By NTLM I presume you mean same winbindd I am using...
0
 
LVL 55

Author Comment

by:McKnife
ID: 39808767
Correct.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39808772
Does the NTLM authentication to Squid work in your setup if you are just trying to access an external web site.  

The error you are getting indicates that the Chrome to Squid authentication is not working.

So the question is, what is Squid doing that Chrome does not like.

Again, a simple packet capture (Wireshark) or http capture (Fidder2) will show if Squid is proplery sending back the WWW-Authentication headers.

As gheist said, it seems nobody else that monitors these posted areas has or is doing this.

Yes we may be speculating, but we are speculating based on knowing how things should work and on bugs that others have reported in the past.  Which should be better than getting no help at all.
0
 
LVL 55

Author Comment

by:McKnife
ID: 39808778
giltjr and gheist, thanks for trying. I am trying to get an answer for "is there anyone using this combination successfully" and nothing more. I am capable of lowlevel analysis at any time myself - but I would not even start if it seems impossible to solve. The chromium link I posted first indicates that, but I wanted to hear people here.

To answer your question, giltjr: yes, anything else works. ftp sites with anonymous authentication do work, too. But with auth., they only work in IE or firefox, not in chrome.
0
 
LVL 62

Expert Comment

by:gheist
ID: 39808779
For me ftp with basic auth works if I save proxy basic auth credentials in proxy dialog and disable ntlm.
0
 
LVL 55

Author Comment

by:McKnife
ID: 39808786
Sorry, but we look for a solution with NTLM proxy auth.
0
 
LVL 62

Expert Comment

by:gheist
ID: 39808813
i have basic auth via winbindd as fallback.
then you can disable NTLM in client and still connect via proxy.
Chrome is not yet of top quality.
0
 
LVL 55

Author Comment

by:McKnife
ID: 39808826
No, we will stick with NTLM. As we have IE as a fallback for FTP already. I am just trying to complete the "chrome package" we offer.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39808865
Doing a little more research I found that Chrome had a problem (issue 11227) doing FTP behind a HTTP proxy that was just fixed sometime last year.

As part of that stream it was noted that even after they fixed the FTP to HTTP proxy issue, they still had a problem with  Chrome supporting NTLM in this setup.  The person that reported it was supposed to open a new issue, but never did.  The most recent update refers to your newly opened issue (328066).  Read updates 44, 45, and 46 in issue:

http://code.google.com/p/chromium/issues/detail?id=11227

So it appears that they are researching this as a bug in the FTP component of Chrome.
0
 
LVL 55

Accepted Solution

by:
McKnife earned 0 total points
ID: 39808872
Great. Now you are where I was before posting here. I read that one :) and it led me to 328066. Since chrome has not even yet confirmed 328066, I think they don't really care.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39808902
I don't know if it that they don't care.  It a matter of time, resources, number of affected users, and priority.

Right now all they have done is included a couple of the change teams to review to see if they can confirm the problem.

If you look it took them from Apr. 2009 to June 2013 ti fix the FTP proxy issue.

I would say that there are very few people that are using a HTTP proxy for FTP that requires NTLM authentication.  So the number of users affected is probably low, so even though this may be a high priority to you, it would be a low priority to them.

If there were, then this issue would have been found a LONG time ago and probably fixed by now.  I would expect that they will fix this, but it could be a LONG time (years).
0
 
LVL 55

Author Closing Comment

by:McKnife
ID: 39832019
Closing since no one uses this combination of softwares, so no experience could be exchanged. Thanks for participation.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question