ERROR: Negotiate Authentication validating user

webfilter
v7
webproxy

(Veeramani P) #1

NethServer Version: NethServer release 7.4.1708 (Final)
Module: Web Proxy (SQUID)

Dear Team,

If I enable dns_v4_first on in squid config file, I am getting error message like this in cache log. Before we didn’t receive this much of error log in cache. After enable the dns_v4_first we are getting lots of error like this.


How to rectify this issue. Kindly let me know.
This our squid configuration
image

We are reporting this king of errors for every time, Why you are taking this as a bug and resolving yourself. Because we are facing more and more trouble once we enable web proxy (squid).

Kindly take it as a serious problem and resolve immediately. This is for a request.

@mrmarkuz
@davidep
@flatspin
@filippo_carletti


(Markus Neuberger) #2

I tested with Nethserver proxy and Zentyal as remote AD (I assume you still use this config). After switching proxies and some testing I recognized I could not login with chrome and got the same error (ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}). I could solve it by deleting the saved proxy credentials on the client and logging in with edge/opera. After that chrome worked too. dns_v4_first made no difference in my tests.

If you still use Nethserver 7.4 please run a backup and update your server.


(Veeramani P) #3

Thanks for your information.

But we are using Windows Server 2012 r2 as thin-client machines for client side. Here i didn’t see any saved password details. Then how could I delete the saved password.

Kindly help me.


(Markus Neuberger) #4

OK, just to recap:

Active Directory is on Zentyal.
Nethserver is joined to Zentyal AD and used as proxy and web filter.
Windows Server 2012 R2 is joined to Zentyal AD and acts as a remote desktop host.
Users use some thin client and connect via RDP to Windows Server 2012 R2 and want to use Nethserver proxy.

Is this correct so far? Which browser is used? I’ll try to reproduce but I need all details.


(Veeramani P) #5

Yes, Same scenario we are using
Active Directory is on Zentyal. ( V5)
Nethserver is joined to Zentyal AD (Domain join)
Windows Server 2012 R2 is joined to Zentyal AD and acts as a remote desktop host (Remote Desktop using Vspare l300 N-computing Device)

All client machines (Windows server 2012 r2, Ubuntu 14.04, Windows 7) are joined to DC (Domain join) and all machines are using thin client (N computing for RDP)

Once we enable dns_v4_first on in squid config file, there is no problem in ubuntu its working fine. but when its come to window in chrome browser every 30 min asking the username password pop up. Once we enter the user name and password its not cleared.

image

i need to fix this issue quickly. Kindly help me.

@mrmarkuz
@davidep
@flatspin
@filippo_carletti


(Markus Neuberger) #6

I am going to reproduce it…

Please try entering username/password in internet explorer/edge and then test if chrome works. Maybe chrome has some problems in terminal server mode.


(Veeramani P) #7

We are trying to access internet explorer same as chrome browser. But we can’t able to save password in IE, Because it’s joined in domain and using FQDN in proxy settings. It’s not asking for any password. But we put IP address in proxy settings it asking password and once we enter its not cleared asking again and again same as chrome.

Maybe we enable cookies in chrome maybe its help. I don’t know just asking for suggestion.

image

I tried this two options. What is the difference between this two options.


(Veeramani P) #8

After 1 hrs the internet explorer asking password again and again once we enter its not cleared. Same as before happened in chrome. Nothing changed.

Kindly provide the solution.


(Markus Neuberger) #9

For domain users it worked without password window. I didn’t use web content filter in my tests, so please try if something changes if you disable it.

I could only reproduce the issue with a non domain user. It’s not possible to use chrome to connect to the proxy because it falls back to NTLM mode…in this case it does not work (tried user@domain, domain\user… without success)
grafik

Only possibility was to use Internet Explorer one time and save credentials (the domain is recognized correctly, but it should also work with “otherdomain\user”):

grafik

Or enter the credentials in the manager:

After that chrome should work.

Client proxy settings on Windows Server:
grafik

My testsetup:

zentyal.domain.local - Zentyal 5.1 AD: domain(.local), created “testuser” and “newuser”, under computers you should see the Nethserver and the Windows Server:
grafik

testvm2.domain.local - Nethserver 7.5 joined to AD, enabled authenticated proxy, dns_v4_first on
grafik

win2012r2.domain.local - Windows Server 12R2 joined to Zentyal AD, installed RDS role (quick setup, all on one machine)
grafik

w10client - Windows 10 machine with remotedesktop to connect to the Windows Server.


(Veeramani P) #10

@mrmarkuz
For domain users it worked without password But its work only 1 hrs after that is asking password popup message and its not get cleared.

We are trying all those possible ways as mentioned above. Nothing work perfectly. The Internet Explorer not save the credentials it asking again and again (same as chrome). I don’t know what to do now, we are getting trouble in this issue. once enter the credentials in the manager after that IE and chrome asking password again and again.

Why its not working any windows machines. much better in Linux machines. we need solution for this issue.


(Marc) #11

If your issues is the same…

There’s a patch in quality assurance testing:


(Veeramani P) #12

What should I do now, As per your post

There’s a patch in quality assurance testing:


[/quote]

Should I change the wpad.dat template files as mentioned the above post or what else I do now. Tell me the exact solution.


(Marc) #13

wpad file is templated. The package in testing that includes the patch is:
http://packages.nethserver.org/nethserver/7/testing/x86_64/Packages/nethserver-squid-1.7.1-1.1.g1bfda75.ns7.noarch.rpm

yum --enablerepo=nethserver-testing update nethserver-squid

(Veeramani P) #14

We need to update NS version 7.4 to 7.5 that’s what you are saying.
But in version 7.5 there is no update regarding web proxy (squid) as I go through the release post (7.5). Then how its work.


(Marc) #15

I’m just pointing where the patch is.

Release notes are for ISO releases (when a new NethServer version is published). It does not contain all the minor updates to packages released after the ISO.


(Veeramani P) #16

When i run squid -v in command line I get this result
image

here squid version 3.5 then what is the use of this package we install
http://packages.nethserver.org/nethserver/7/testing/x86_64/Packages/nethserver-squid-1.7.1-1.1.g1bfda75.ns7.noarch.rpm

little bit confusion about this two entries.


(Marc) #17

nethserver-squid is the package that auto-configures squid settings on NethServer.


(Veeramani P) #18

Thanks for your valuable information. We update squid package and get back if there is any issue.


(Ralf Jeckel) #19

Would be nice to give a feedback anyway. As you know this package is in testing, also positive feedback is very welcome, not only if there are problems. This is a good way to contribute to this project. Test and report. :wink: