Solved

FTP, chrome and SQUID - incompatible

Posted on 2014-01-24
24
1,204 Views
Last Modified: 2014-02-04
Hi chrome experts.

I am looking for a real SQUID expert that has the following constellation working:
Chrome (current version) together with a SQUID proxy (current version) with NTLM authentication on a windows domain, accessing FTP sites with authentication. It does not work for me, chrome says:
Sorry, you are not currently allowed to request ftp://ftp.xyz.com/ from this cache until you have authenticated yourself.

This seems to be a bug, but the chromium developers are hesitating to even acknowledge it. https://code.google.com/p/chromium/issues/detail?id=328066

What works for me is the same constellation with any version of Internet Explorer.
Did anyone get it to work maybe by tuning SQUID?
0
Comment
Question by:McKnife
  • 11
  • 8
  • 5
24 Comments
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
I looked at the link you provided and from their response this is not a bug, but a method of authentication that Chrome does not support.

For now Chrome has decided not to support doing NLTM/Kerberos for FTP sites.
0
 
LVL 53

Author Comment

by:McKnife
Comment Utility
Hi.
Sorry, what response are you talking about?
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
I was assuming that the comment that start "Chrome when using FTP only supports basic auth. "

Was their response.  If it was not then I apologize.  However,  I have done quite a bit dealing with FTP (standard, SSL'ed FTP, and sftp).

Normally FTP (standard) passes user-id and password in clear text.  So it does not surprise me that a FTP client does not support  using NTLM as an authentication method.
0
 
LVL 53

Author Comment

by:McKnife
Comment Utility
Both firefox and IE work with NTLM. Only chrome does not like it.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Is the NTLM to the ftp server or the Proxy server?

The prompt looks like the proxy server is wanting the user to authenticate.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
I found this OLD bug issue with Chrome that deals with Chrome and NTLM authentication with Squid:

http://code.google.com/p/chromium/issues/detail?id=8771

It this case Squid was not doing something.  I'm not sure if in your case Squid is doing something and Chrome is not responding correct.
0
 
LVL 53

Author Comment

by:McKnife
Comment Utility
Thanks, but I would like someone to answer who uses the same softwares. Everything else is speculation.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
It should be easy enough to do a packet capture to make sure that Squid is sending the correct header information back to Chrome.

I'll need to setup Squid in a isolated environment, but I did use Chrome to successfully connect to a server that is doing Windows Integrated authentication.

The HTTP 401 message coming back from the server contains both Negotiate and NTLM WWW-Authenticate headers.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
FTP sites with authentication? Which authentication FTP sites use?
0
 
LVL 53

Author Comment

by:McKnife
Comment Utility
Let me clarify: I tried to find someone who already has that combination of proxy, browser and authentication running. Although surely possible, I am not looking for a way to analyze it.

So let me add the request to participate only if you use that very combination yourself and you can successfully access addresses of the type
ftp://user:password@ftp.domain.com
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
If remote site uses NTLM authentication that does not work with firefox too...
0
 
LVL 53

Author Comment

by:McKnife
Comment Utility
That's not what I am talking about. Our own proxy uses NTLM authentication, not the ftp server.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 61

Expert Comment

by:gheist
Comment Utility
Aparently nobody tried here...
By NTLM I presume you mean same winbindd I am using...
0
 
LVL 53

Author Comment

by:McKnife
Comment Utility
Correct.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Does the NTLM authentication to Squid work in your setup if you are just trying to access an external web site.  

The error you are getting indicates that the Chrome to Squid authentication is not working.

So the question is, what is Squid doing that Chrome does not like.

Again, a simple packet capture (Wireshark) or http capture (Fidder2) will show if Squid is proplery sending back the WWW-Authentication headers.

As gheist said, it seems nobody else that monitors these posted areas has or is doing this.

Yes we may be speculating, but we are speculating based on knowing how things should work and on bugs that others have reported in the past.  Which should be better than getting no help at all.
0
 
LVL 53

Author Comment

by:McKnife
Comment Utility
giltjr and gheist, thanks for trying. I am trying to get an answer for "is there anyone using this combination successfully" and nothing more. I am capable of lowlevel analysis at any time myself - but I would not even start if it seems impossible to solve. The chromium link I posted first indicates that, but I wanted to hear people here.

To answer your question, giltjr: yes, anything else works. ftp sites with anonymous authentication do work, too. But with auth., they only work in IE or firefox, not in chrome.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
For me ftp with basic auth works if I save proxy basic auth credentials in proxy dialog and disable ntlm.
0
 
LVL 53

Author Comment

by:McKnife
Comment Utility
Sorry, but we look for a solution with NTLM proxy auth.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
i have basic auth via winbindd as fallback.
then you can disable NTLM in client and still connect via proxy.
Chrome is not yet of top quality.
0
 
LVL 53

Author Comment

by:McKnife
Comment Utility
No, we will stick with NTLM. As we have IE as a fallback for FTP already. I am just trying to complete the "chrome package" we offer.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Doing a little more research I found that Chrome had a problem (issue 11227) doing FTP behind a HTTP proxy that was just fixed sometime last year.

As part of that stream it was noted that even after they fixed the FTP to HTTP proxy issue, they still had a problem with  Chrome supporting NTLM in this setup.  The person that reported it was supposed to open a new issue, but never did.  The most recent update refers to your newly opened issue (328066).  Read updates 44, 45, and 46 in issue:

http://code.google.com/p/chromium/issues/detail?id=11227

So it appears that they are researching this as a bug in the FTP component of Chrome.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 0 total points
Comment Utility
Great. Now you are where I was before posting here. I read that one :) and it led me to 328066. Since chrome has not even yet confirmed 328066, I think they don't really care.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
I don't know if it that they don't care.  It a matter of time, resources, number of affected users, and priority.

Right now all they have done is included a couple of the change teams to review to see if they can confirm the problem.

If you look it took them from Apr. 2009 to June 2013 ti fix the FTP proxy issue.

I would say that there are very few people that are using a HTTP proxy for FTP that requires NTLM authentication.  So the number of users affected is probably low, so even though this may be a high priority to you, it would be a low priority to them.

If there were, then this issue would have been found a LONG time ago and probably fixed by now.  I would expect that they will fix this, but it could be a LONG time (years).
0
 
LVL 53

Author Closing Comment

by:McKnife
Comment Utility
Closing since no one uses this combination of softwares, so no experience could be exchanged. Thanks for participation.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now