Article delegate-en/4109 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4107@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: FW: [DeleGate-En] Windows Integrated Authentication
05 Sep 2008 09:34:35 GMT "Nagel, Willy" <ptihqbdyi-uyhyq23ve4tr.ml@ml.delegate.org>


Hi Yutaka,

I already tested using http in stead of https.

In a setup when proxying for IIS without Integrated Windows
Authentication, all works fine with the certificates. 

I now used the following config:

-Plisten_ip:80
-fv
-Enh
ADMIN=admin@test..nl 
DGROOT="/DeleGate/" 
DELAY=reject:0,unknown:0
SERVER=http
AUTHORIZER=-ntht
HTTPCONF=methods:*
MOUNT="/* http://destination_ip/* via=server_ip"
REACHABLE=destination_ip:80
RELIABLE="*"

Still no traffic goes to the destination server. 
But it seems that running the server in foreground changed to
credentials used from 'NT_AUTHORITY\SYSTEM' to
'SERVERNAME\Administrator'.

09/05 10:06:24.34 [1880] 1+1: REQUEST - GET / HTTP/1.1^M
09/05 10:06:24.34 [1880] 1+1: *** / => http://192.168.4.24/ ***
09/05 10:06:24.34 [1880] 1+1: REQUEST +M http://192.168.4.24/ HTTP/1.1^M
09/05 10:06:24.34 [1880] 1+1: ----NTHT accept 0 MO=1 UT=0
09/05 10:06:24.34 [1880] 1+1: ----NTHT_accept(0,38,38) ss=0
09/05 10:06:24.34 [1880] 1+1: ####cred name=servername\administrator
09/05 10:06:24.34 [1880] 1+1: ====NTLM Start
(WIN) 09:06:24.357 [1880] send(356) = -1+0 errno=10058 [1864]
09/05 10:06:24.36 [1880] 1+1: ## got SIGPIPE [1] in HTTP:
(WIN) 09:06:24.357 [1880] +++EPIPE[38] fflushTIMEOUT() for EOF
09/05 10:06:24.36 [1880] 1+1: ClientEOF: request-EOF-7 [38 38] 0 8000 0
09/05 10:06:24.36 [1880] 1+1: HCKA:[0] closed -- d:by client(request
EOF-7)
09/05 10:06:24.36 [1880] 1+1: disconnected [38]
-@[56.34.217.136]ip765ced988.spe
ed.planet.com:35035 (0.078s)(0)
ip765ced988.speed.planet.com - - [05/Sep/2008:10:06:24 +0100] "GET
http://192.168.
4.24/ HTTP/1.1" 401 577 0*0.000+0.000:A:0d

Now I removed the AUTHORIZER=-ntht option and it looks more like it:

-Plisten_ip:80
-Enh
-fv
ADMIN=admin@test..nl 
DGROOT="/DeleGate/" 
DELAY=reject:0,unknown:0
SERVER=http
HTTPCONF=methods:*
MOUNT="/* http://destination_ip/* via=server_ip"
REACHABLE=destination_ip:80
RELIABLE="*"

Traffic now goes to the destination server and the logfile shows:

09/05 11:18:09.59 [852] 1+1: (0) accepted [54]
-@[54.56.217.136]ip768ced988.spee
d.planet.com:35466 (0.031s)(1)
09/05 11:18:09.61 [852] 1+1: Proxy: host=ip768ced988.speed.planet.com;
User-Agent:
 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0
(compatible; MSI
E 6.0; Windows NT 5.1; SV1) ; InfoPath.1; .NET CLR 2.0.50727); DIRECT
09/05 11:18:09.61 [852] 1+1: HCKA:[0] Keep-Alive;
host=ip768ced988.speed.planet.n
l; (User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Mozilla/4.0 (
compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.1; .NET CLR
2.0.50727))
09/05 11:18:09.62 [852] 1+1: REQUEST - GET / HTTP/1.1^M
09/05 11:18:09.62 [852] 1+1: *** / => http://192.168.4.24/ ***
09/05 11:18:09.62 [852] 1+1: REQUEST +M http://192.168.4.24/ HTTP/1.1^M
09/05 11:18:09.64 [852] 1+1: *** / => http://192.168.4.24/ ***
09/05 11:18:09.64 [852] 1+1: PATH>
http://192.168.4.24:80!servername:80!ip768ced9
88.speed.planet.com:35466!anonymous@ip768ced988.speed.planet.com;1220606
289
09/05 11:18:09.64 [852] 1+1: REQUEST = [http://192.168.4.24:80/] GET /
HTTP/1.1^
M
09/05 11:18:09.64 [852] 1+1: XHost: (0,0,1) 192.168.4.24 <= sft.test.nl
09/05 11:18:09.64 [852] 1+1: connectTO: assume in non-blocking mode
09/05 11:18:09.65 [852] 1+1: ConnectToServer connected [34]
{192.168.4.24:80 <-
192.168.1.60:1612} [0.016s]
09/05 11:18:09.65 [852] 1+1: willSTLS_SV: ServerFlags=8000
09/05 11:18:09.65 [852] 1+1: HTTP => (192.168.4.24:80) GET / HTTP/1.1^M
09/05 11:18:09.65 [852] 1+1: default netmask 54.56.217.136/. = FFFFFF00
09/05 11:18:09.65 [852] 1+1: ## hostIFto 54.56.217.136 < 192.168.1.60
(ffffff00
)
09/05 11:18:09.67 [852] 1+1: default netmask 54.56.217.136/. = FFFFFF00
09/05 11:18:09.67 [852] 1+1: HTTP error request: GET / HTTP/1.1^M
09/05 11:18:09.67 [852] 1+1: HTTP error status: 401 Unauthorized
09/05 11:18:09.67 [852] 1+1: ----NTHT buffResp 20 RX_code=401
09/05 11:18:09.67 [852] 1+1: ----NTHT KeepAlive for 401 (-401)
09/05 11:18:09.67 [852] 1+1: #HT11 DO-response-buffering for NTHT
09/05 11:18:09.69 [852] 1+1: HTTP error header: Content-Length: 1656^M
09/05 11:18:09.69 [852] 1+1: HTTP error header: Content-Type:
text/html^M
09/05 11:18:09.69 [852] 1+1: HTTP error header: Server:
Microsoft-IIS/6.0^M
09/05 11:18:09.69 [852] 1+1: ----NTHT R Negotiate 20
09/05 11:18:09.69 [852] 1+1: HTTP error header: WWW-Authenticate:
Negotiate^M
09/05 11:18:09.69 [852] 1+1: HTTP error header: WWW-Authenticate: NTLM^M
09/05 11:18:09.69 [852] 1+1: HTTP error header: X-Powered-By: ASP.NET^M
09/05 11:18:09.69 [852] 1+1: HTTP error header: Date: Fri, 05 Sep 2008
09:21:57
GMT^M
09/05 11:18:09.69 [852] 1+1: ----NTHT 20 added Proxy-Support header
09/05 11:18:09.69 [852] 1+1: #HT11 SERVER ver[HTTP/1.1] conn[]
09/05 11:18:09.69 [852] 1+1: ----NTHT Keep-Alive on err. (-401) 20
09/05 11:18:09.69 [852] 1+1: HTTP error header: ^M
09/05 11:18:09.69 [852] 1+1: HTTP/1.1 401 Content-{Type:text/html
Encoding:[/] L
eng:1656} KA:1/1 Server:Microsoft-IIS/6.0
09/05 11:18:09.69 [852] 1+1: ----NTHT start session E0
09/05 11:18:09.69 [852] 1+1: ----NTHT E0 putMIMEmsg (401)
09/05 11:18:09.69 [852] 1+1: ----NTHT E0 NO putMIMEmsg
09/05 11:18:09.69 [852] 1+1: ####Gzip [0.000000] - 1656 => 930 [38=>42]
09/05 11:18:09.69 [852] 1+1: putMIMEmsg: Content-Length: 1656 -> 930
(1281 - 351
) [gzip]
09/05 11:18:09.69 [852] 1+1: #CEcl put Content-Encoding:gzip
09/05 11:18:09.70 [852] 1+1: ----NTHT keep-alive 401 -401
09/05 11:18:09.70 [852] 1+1: DON'T CLOSE RESPONSE:(0) /
09/05 11:18:09.70 [852] 1+1: HTTP transmitted:
216head+1656/1656body=>0txt+0bin-
>930/930, 10i/1o/0f/0.0 ---z-
09/05 11:18:09.70 [852] 1+1: #HT11 putServ(35/36/34) 192.168.4.24:80
09/05 11:18:09.70 [852] 1+1: ----NTHT retryAuth: 1 NTHT=E0
09/05 11:18:09.70 [852] 1+1: ----NTHT without auth. conv.
09/05 11:18:09.70 [852] 1+1/1: ----NTHT E0 KA=1
09/05 11:18:09.76 [852] 1+1/1: ClientEOF: request-EOF-6 [54 54] 0 0 0
09/05 11:18:09.76 [852] 1+1/1: HCKA:[1] closed -- d:by client(request
EOF-6)
09/05 11:18:09.78 [852] 1+1/1: disconnected [54]
-@[54.56.217.136]ip768ced988.sp
eed.planet.com:35466 (0.219s)(0)
ip768ced988.speed.planet.com - - [05/Sep/2008:11:18:09 +0100] "GET
http://192.168.
4.24/ HTTP/1.1" 401 1656 0*0.016+0.047:RW:0d

Maybe I got it wrong, but I expect to receive a popup on the client
computer and those credentials need to be used on the destination server
to authenticate.

Thanks.

Kind regards,

Willy Nagel

-----Original Message-----
From: Yutaka Sato [mailto:feedback@delegate.org] 
Sent: Friday, September 05, 2008 9:58 AM
To: feedback@delegate.org
Cc: Nagel, Willy
Subject: Re: [DeleGate-En] FW: [DeleGate-En] Windows Integrated
Authentication

Hi Willy,

In message <_A4106@delegate-en.ML_>
on 09/05/08(16:06:53) you "Nagel, Willy" <ptihqbdyi-uyhyq23ve4tr.ml@ml.delegate.org> wrote:
 |I've been testing using the same config file, with 9.8.5-pre1, but I'm
|still unsuccessfull.
 |
 |No traffic appears to be going to the destination server (when looking
|in our firewall logging).
 |
 |Here's the logfile:

Something seem bad with SSL, and/or with running as a background
service.
I'll test it by myself but you are recommended to test it without SSL
and/or running your DeleGate in foregroud (with -fv option).

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller


This message and attachment(s) are intended solely for use by the addressee and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law.

If you are not the intended recipient or agent thereof responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.

If you have received this communication in error, please notify the sender immediately by telephone and with a 'reply' message.

Thank you for your co-operation.



  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V