You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Yakov Kopel (JIRA)" <ji...@apache.org> on 2012/11/02 06:32:12 UTC

[jira] [Commented] (TS-1491) Browser always prompts for authentication (NTLM)

    [ https://issues.apache.org/jira/browse/TS-1491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13489270#comment-13489270 ] 

Yakov Kopel commented on TS-1491:
---------------------------------

Yes. you right. I think we need even to do something like this:

index f4da17d..cd6904b 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -1611,10 +1611,10 @@ HttpSM::state_http_server_open(int event, void *data)
 
   switch (event) {
   case NET_EVENT_OPEN:
-    session = (2 == t_state.txn_conf->share_server_sessions) ?
+    session = ((2 == t_state.txn_conf->share_server_sessions && !is_private()) ?
       THREAD_ALLOC_INIT(httpServerSessionAllocator, mutex->thread_holding) :
       httpServerSessionAllocator.alloc();
-    session->share_session = t_state.txn_conf->share_server_sessions;
+    session->share_session = is_private() ? 0 : t_state.txn_conf->share_server_sessions;
 
     // If origin_max_connections or origin_min_keep_alive_connections is
     // set then we are metering the max and or min number
@@ -4375,7 +4375,7 @@ HttpSM::do_http_server_open(bool raw)
 
   if (raw == false && t_state.txn_conf->share_server_sessions &&
       (t_state.txn_conf->keep_alive_post_out == 1 || t_state.hdr_info.request_content_length == 0) &&
-      ua_session != NULL) {
+       !is_private()) && ua_session != NULL) {
     shared_result = httpSessionManager.acquire_session(this,    // state machine
                                                        &t_state.current.server->addr.sa,    // ip + port
                                                        t_state.current.server->name,    // hostname
@@ -4402,7 +4402,7 @@ HttpSM::do_http_server_open(bool raw)
   // This bug was due to when share_server_sessions is set to 0
   // and we have keep-alive, we are trying to open a new server session
   // when we already have an attached server session.
-  else if ((!t_state.txn_conf->share_server_sessions) && (ua_session != NULL)) {
+  else if ((!t_state.txn_conf->share_server_sessions || is_private()) && (ua_session != NULL)) {
     HttpServerSession *existing_ss = ua_session->get_server_session();
 
     if (existing_ss) {
@@ -5445,6 +5445,10 @@ HttpSM::setup_server_send_request()
     hdr_length += server_entry->write_buffer->write(t_state.internal_msg_buffer, msg_len);
     server_request_body_bytes = msg_len;
   }
+  // If we are sending authorizations headers, mark the connection private
+  if (t_state.hdr_info.server_request.presence(MIME_PRESENCE_AUTHORIZATION | MIME_PRESENCE_PROXY_AUTHORIZATION)) {
+      server_session->private_session = true;
+  }
   // If we are sending authorizations headers, mark the connection
   //  private
   /*if (t_state.hdr_info.server_request.presence(MIME_PRESENCE_AUTHORIZATION | MIME_PRESENCE_PROXY_AUTHORIZATION)) {
diff --git a/proxy/http/HttpSM.h b/proxy/http/HttpSM.h
index 07aeaad..a6e9db7 100644
--- a/proxy/http/HttpSM.h
+++ b/proxy/http/HttpSM.h
@@ -41,6 +41,7 @@
#include "InkAPIInternal.h"
#include "StatSystem.h"
#include "HttpClientSession.h"
+#include "HttpServerSession.h"
#include "HdrUtils.h"
//#include "AuthHttpAdapter.h"
 
@@ -621,4 +622,17 @@ HttpSM::add_cache_sm()
   }
}
 
+inline bool
+HttpSM::is_private()
+{
+    if (server_session) {
+        return server_session->private_session;
+    } else if (ua_session) {
+        HttpServerSession * ss = ua_session->get_server_session();
+        if (ss) {
+            return ss->private_session;
+        }
+    }
+    return false;
+}
#endif


Any way, this will fix only the reuse connection isuue.
There is another issue, that if the server disconnect, the ATS create new connection but doesn't send disconnect to the client.
This issue also cause NTLM prompts and SSL errors.

Regards,
Yakov.

                
> Browser always prompts for authentication (NTLM)
> ------------------------------------------------
>
>                 Key: TS-1491
>                 URL: https://issues.apache.org/jira/browse/TS-1491
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Core
>            Reporter: Yakov Kopel
>            Assignee: Leif Hedstrom
>             Fix For: 3.2.3
>
>         Attachments: diff.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> When the client surf through the ATS to a site of SharedPoint, the user get NTLM prompt message again and again.
> This is because of the reuse option that is turned on by default (u can turn it off with the proxy.config.http.share_server_sessions option).
> My attached patch turns on the private_session flag when the ATS gets auth connection, and then it will not use the reuse option for this connection.
> ----
> For further reading on this global bug in proxies:
> http://blogs.msdn.com/b/asiatech/archive/2012/03/28/ie-always-prompts-for-authentication-when-browsing-through-proxy-server.aspx
> Microsoft recommend at (http://technet.microsoft.com/en-us/library/cc995189.aspx):
> “we recommend that you use SSL encryption for the traffic between Forefront TMG and the client. NTLM authentication is per connection, and encryption prevents improper reuse of connections by legacy proxy devices on the Internet.”

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira