Unable to Access the MS Sharepoint using Squid 3

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 6
  • Squid-3.1

Issue

There is a problem accessing a Microsoft Sharepoint using a Squid-3.1 proxy. A browser displays a password request as expected while trying to access Sharepoint site but the correct password does not work.

The following errors are logger in a Squid 'access.log' log file:

2012-12-12 10:11:25 <IP_Address> - TCP_DENIED/407 GET http://sharept.address.com/
2012-12-12 10:11:26 <IP_Address> person@INTRA.SERVER.COM TCP_MISS/401 GET http://sharept.address.com/

An attempt to access a Sharepoint site without authentication results in the following log entry:

2012-12-12 13:50:46 <IP_Address> - TCP_MISS/401 GET http://sharept.address.com/

The users are registered in the Active Directory and the issue exists no matter whether a squid server is inside or outside of the domain.

Additionally, previous major version of a Squid squid-2.6.STABLE21-3.el5 from RHEL5 works fine.

Resolution

There is no solution for this for Squid-3.1. The community developers state that is not necessary to perform a backport patches for these authentication problems found in Squid-3.1 because these issues was already solved in Squid-3.2.

There are many complex changes that have to be made in the Red Hat shipped version of Squid-3.1 and because of that, this kind of fixes can not be considered as a backport, and as the same of community version, these issues will be fixed only in Squid-3.2 that will be shipped in RHEL7.

Possible Workarounds

A workaround can be to use the community version of Squid-3.2. Such an installation will only be giving up Red Hat support with regard to this package in particular, but the system will continue to be supported normally. For any questions or problems where a Squid is not involved, Red Hat will usually assist.

Another possibility in case of Windows clients (i.e. browsers) may be to implement a workaround with a proxy autoconfiguration file (Windows Proxy Auto Discovery, WPAD). It should be setup that all the clients connect directly to the problematic Sharepoint server instead of going through the proxy. Please, see the following code snippet that implements this functionality:

function FindProxyForURL(url, host)
{
        // NLTM authentication to MS SharePoint is broken in Squid 3.1.10
        // so always use direct connection to SharePoint server
        if ( dnsDomainIs(host, "www.sharepointserver.com"))
        {
                return "DIRECT";
        }

        // Otherwise use Squid proxy (with fallback to direct connection if proxy server is unavailable)
        return "PROXY squidproxy.com:3128; DIRECT";
}

Root Cause

There are indeed issues with Squid-3.1 authenticating against Microsoft Sharepoint server and there is private Red Hat Bugzilla opened for them:

Also there is a related community Bugzilla:

According to the package maintainers themselves, it is not feasible to fix this bug in version 3.1 because actually this is not an isolated problem in the package, but rather a combination of several problems related to authentication and that has already been fixed in Squid 3.2. This community bug will be terminated since the problem no longer exists in the package.

Red Hat acts in a similar way since the package provided by Red Hat follows the development of its upstream. For both sides, it was argued that this problem is related to the way in which the stations handle requests sent and received to the server and not directly connected with the proxy server itself and version 3.2 of squid has been prepared to address these requests also, however, initially the problem is on the side of those who make the request - the client.

Unfortunately backport fixes for version 3.1 of Squid will not be made, instead, the package will be maintained and such corrections will consequent to the package upgrade for version 3.2 which should be present in future versions of Red Hat Enterprise Linux. It happens to the fact that for this issue will be corrected in the source required many modifications, these changes affecting the main bases of this package and no longer regarded as backports.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments