Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

FTP, chrome and SQUID - incompatible

Posted on 2014-01-24
24
1,253 Views
Last Modified: 2014-02-04
Hi chrome experts.

I am looking for a real SQUID expert that has the following constellation working:
Chrome (current version) together with a SQUID proxy (current version) with NTLM authentication on a windows domain, accessing FTP sites with authentication. It does not work for me, chrome says:
Sorry, you are not currently allowed to request ftp://ftp.xyz.com/ from this cache until you have authenticated yourself.

This seems to be a bug, but the chromium developers are hesitating to even acknowledge it. https://code.google.com/p/chromium/issues/detail?id=328066

What works for me is the same constellation with any version of Internet Explorer.
Did anyone get it to work maybe by tuning SQUID?
0
Comment
Question by:McKnife
  • 11
  • 8
  • 5
24 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 39806934
I looked at the link you provided and from their response this is not a bug, but a method of authentication that Chrome does not support.

For now Chrome has decided not to support doing NLTM/Kerberos for FTP sites.
0
 
LVL 54

Author Comment

by:McKnife
ID: 39806953
Hi.
Sorry, what response are you talking about?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39807004
I was assuming that the comment that start "Chrome when using FTP only supports basic auth. "

Was their response.  If it was not then I apologize.  However,  I have done quite a bit dealing with FTP (standard, SSL'ed FTP, and sftp).

Normally FTP (standard) passes user-id and password in clear text.  So it does not surprise me that a FTP client does not support  using NTLM as an authentication method.
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 
LVL 54

Author Comment

by:McKnife
ID: 39807074
Both firefox and IE work with NTLM. Only chrome does not like it.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39807243
Is the NTLM to the ftp server or the Proxy server?

The prompt looks like the proxy server is wanting the user to authenticate.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39807287
I found this OLD bug issue with Chrome that deals with Chrome and NTLM authentication with Squid:

http://code.google.com/p/chromium/issues/detail?id=8771

It this case Squid was not doing something.  I'm not sure if in your case Squid is doing something and Chrome is not responding correct.
0
 
LVL 54

Author Comment

by:McKnife
ID: 39807311
Thanks, but I would like someone to answer who uses the same softwares. Everything else is speculation.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39807387
It should be easy enough to do a packet capture to make sure that Squid is sending the correct header information back to Chrome.

I'll need to setup Squid in a isolated environment, but I did use Chrome to successfully connect to a server that is doing Windows Integrated authentication.

The HTTP 401 message coming back from the server contains both Negotiate and NTLM WWW-Authenticate headers.
0
 
LVL 62

Expert Comment

by:gheist
ID: 39808525
FTP sites with authentication? Which authentication FTP sites use?
0
 
LVL 54

Author Comment

by:McKnife
ID: 39808721
Let me clarify: I tried to find someone who already has that combination of proxy, browser and authentication running. Although surely possible, I am not looking for a way to analyze it.

So let me add the request to participate only if you use that very combination yourself and you can successfully access addresses of the type
ftp://user:password@ftp.domain.com
0
 
LVL 62

Expert Comment

by:gheist
ID: 39808733
If remote site uses NTLM authentication that does not work with firefox too...
0
 
LVL 54

Author Comment

by:McKnife
ID: 39808748
That's not what I am talking about. Our own proxy uses NTLM authentication, not the ftp server.
0
 
LVL 62

Expert Comment

by:gheist
ID: 39808763
Aparently nobody tried here...
By NTLM I presume you mean same winbindd I am using...
0
 
LVL 54

Author Comment

by:McKnife
ID: 39808767
Correct.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39808772
Does the NTLM authentication to Squid work in your setup if you are just trying to access an external web site.  

The error you are getting indicates that the Chrome to Squid authentication is not working.

So the question is, what is Squid doing that Chrome does not like.

Again, a simple packet capture (Wireshark) or http capture (Fidder2) will show if Squid is proplery sending back the WWW-Authentication headers.

As gheist said, it seems nobody else that monitors these posted areas has or is doing this.

Yes we may be speculating, but we are speculating based on knowing how things should work and on bugs that others have reported in the past.  Which should be better than getting no help at all.
0
 
LVL 54

Author Comment

by:McKnife
ID: 39808778
giltjr and gheist, thanks for trying. I am trying to get an answer for "is there anyone using this combination successfully" and nothing more. I am capable of lowlevel analysis at any time myself - but I would not even start if it seems impossible to solve. The chromium link I posted first indicates that, but I wanted to hear people here.

To answer your question, giltjr: yes, anything else works. ftp sites with anonymous authentication do work, too. But with auth., they only work in IE or firefox, not in chrome.
0
 
LVL 62

Expert Comment

by:gheist
ID: 39808779
For me ftp with basic auth works if I save proxy basic auth credentials in proxy dialog and disable ntlm.
0
 
LVL 54

Author Comment

by:McKnife
ID: 39808786
Sorry, but we look for a solution with NTLM proxy auth.
0
 
LVL 62

Expert Comment

by:gheist
ID: 39808813
i have basic auth via winbindd as fallback.
then you can disable NTLM in client and still connect via proxy.
Chrome is not yet of top quality.
0
 
LVL 54

Author Comment

by:McKnife
ID: 39808826
No, we will stick with NTLM. As we have IE as a fallback for FTP already. I am just trying to complete the "chrome package" we offer.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39808865
Doing a little more research I found that Chrome had a problem (issue 11227) doing FTP behind a HTTP proxy that was just fixed sometime last year.

As part of that stream it was noted that even after they fixed the FTP to HTTP proxy issue, they still had a problem with  Chrome supporting NTLM in this setup.  The person that reported it was supposed to open a new issue, but never did.  The most recent update refers to your newly opened issue (328066).  Read updates 44, 45, and 46 in issue:

http://code.google.com/p/chromium/issues/detail?id=11227

So it appears that they are researching this as a bug in the FTP component of Chrome.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 0 total points
ID: 39808872
Great. Now you are where I was before posting here. I read that one :) and it led me to 328066. Since chrome has not even yet confirmed 328066, I think they don't really care.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39808902
I don't know if it that they don't care.  It a matter of time, resources, number of affected users, and priority.

Right now all they have done is included a couple of the change teams to review to see if they can confirm the problem.

If you look it took them from Apr. 2009 to June 2013 ti fix the FTP proxy issue.

I would say that there are very few people that are using a HTTP proxy for FTP that requires NTLM authentication.  So the number of users affected is probably low, so even though this may be a high priority to you, it would be a low priority to them.

If there were, then this issue would have been found a LONG time ago and probably fixed by now.  I would expect that they will fix this, but it could be a LONG time (years).
0
 
LVL 54

Author Closing Comment

by:McKnife
ID: 39832019
Closing since no one uses this combination of softwares, so no experience could be exchanged. Thanks for participation.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question