ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token'

squid
proxy

(Antonio Carlos Lemos Junior) #1

When using authenticated squid is not possible use internet on Windows.
Every time I received a pop-up requiring username e password.
At the logs file there’s a message error:

ERROR: Negotiate Authentication validating user. Error returned ‘BH received type 1 NTLM token’

How could I resolv this insue.

Thanks


(Markus Neuberger) #2

Hi @antonioclj,

welcome to the NethServer Community.

Did you setup 127.0.0.1 as DNS server like in the following thread (similar error) ?

If not please tell us some more about your config by posting the output of:

config show dns
config show sssd

Which Windows version and browser(s) do you use?
Do your clients use NethServer as DNS server?
Did you enter the NethServer FQDN in the proxy settings of your browser? There may be problems with using the IP address.

http://docs.nethserver.org/en/v7/web_proxy.html#authenticated-mode


(Antonio Carlos Lemos Junior) #3

Hi @mrmarkuz,

Thanks.

image

Windows XP and Windows 10 (Same message Error)

My clients are using NethServer as DNS.

I used IP, but I maked new test with FQDN and the same POP-UP.


(Markus Neuberger) #4

The settings seem to be ok.

Which browser do you use?

I tested it now on Windows 10 with Firefox set to automatically detect proxy settings and it worked.

I entered just the username without domain and the password once and the box disappeared until I reopen the browser.


(Antonio Carlos Lemos Junior) #5

Google Chrome and Edge.

image

Is it right the squid time be different of the server time ?


(Markus Neuberger) #6

I tried it with Edge and Chrome now and you have to deactivate “detect settings automatically” and set the proxy manually: (Sorry for my German Windows screenshot)

grafik

Yes, it’s GMT

https://www.timeanddate.com/time/zones/gmt


NethServer DC WebProxy and Windows Client
(Antonio Carlos Lemos Junior) #7

Thanks @mrmarkuz

Only using IP works. (Appear the pop-up )


(Antonio Carlos Lemos Junior) #8

Finally Works. :smiley:

When I used the hostname of the server on proxy Win XP working. (Chrome and Opera).
The last version of Firefox not install on Win XP.

But the Edge browser change the hostname (Windows 10).

image

Suggestion ?


(Markus Neuberger) #9

You may try to set it up via the “old” internet settings panel. You’ll find it in chrome proxy settings.


(Antonio Carlos Lemos Junior) #10

Well, Installed Firefox and Chrome (Windows 10). Firefox work (but I have problem with all links with annouce - youtube not play video). Chrome and Edge can’t work.

Opera and Firefox on Win XP works, but the same problem with the annouces.

Web Filter is disabled.

Trying to found the problem.


(Markus Neuberger) #11

You just need to enter the FQDN without “http”:


(Antonio Carlos Lemos Junior) #12

Sites that use the 443 port are blocked.
The option block https is disabled.

Suggestion ?

Thanks.


(Markus Neuberger) #13

Does browsing work normally? Because in case of authentification this is no bad error:

All requests which require authentication but do not provide it get a 407 or
401 response challenging the browser to provided some credentials. This is
true for all authentication types.

http://www.squid-cache.org/mail-archive/squid-users/201008/0571.html


(Antonio Carlos Lemos Junior) #14

Sites that use https I have lag and trouble.
WinXP open https but I have trouble on some links.
Win10 the same sites can’t open (https).
Definetely I have problem with https.

Suggestions ?

Thanks


(Markus Neuberger) #15

Sorry, I could not reproduce the “ERR_TIMED_OUT”. The log files seems to be ok.

It tried it with Win 10 and XP now:

On WIn 10 Edge, Firefox and Chrome are working.

On Win XP only Firefox ESR works, the other browsers have problems with auth but I have to use old browser versions on XP because the newer ones are not supported anymore.

My settings:

Proxy (manually set, FQDN): proxy.domain.local
Turn off any proxy script autodetection function.


(Rodrigo Vieira Da Costa) #16

Hello
I have the same problem! I configured the proxy with squid and AD, authentication works on FIREFOX, however in IE and Chrome the message appears:


I put as fqdn and also with ip to test. Only in firefox it worked. What can it be?


(Antonio Carlos Lemos Junior) #17

Unfortunately I do not know what is happening. I have refactored the server again and it still gives the same error. If transparent mode is selected all sites work correctly but if authenticated mode is selected the sites are again blocked. Tested on Windows 10 and Windows XP. This config was used with AD mode enabled.


(Markus Neuberger) #18

Hi @antonioclj and @Rodrigo_Vieira_da_Co,

please try to open different browsers and login more often. I had some problems immediately after activating auth proxy on a Win 7 machine but I opened another browser, logged in and it worked.
It seems like Opera, Chrome and MS Browsers (IE, edge) use the same proxy config of Windows internet options. Firefox can use an own proxy setting. Use FQDN in proxy settings and check that DNS is fast on your proxy. Clients should use NethServer as DHCP and DNS.

Use dig nethserver.org to check DNS response.

You may open a terminal and watch the log live with tail -f /var/log/cache.log. This is also possible in web UI with log viewer. You should see a working auth after some errors:

2018/04/01 03:16:12 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2018/04/01 03:16:51| negotiate_kerberos_auth: INFO: User markus@AD.CMB.LOCAL authenticated

(Rodrigo Vieira Da Costa) #19

Thanks, @mrmarkuz!
I will test!


(Markus Neuberger) #20

@antonioclj @Rodrigo_Vieira_da_Co

There’s a howto that covers auth proxy…