Basic LDAP Proxy Auth Bites Back Again

We have set up Squid box to authenticate users using Basic LDAP scheme. Access from Internet Explorer to most of the sites works fine. But checks for certificate revocation in Internet Explorer are failing. Why?

When user tries to access the remote site Internet Explorer shows a pop up box asking the user to authenticate. After typing correct credentials into that box user is able to browse the sites.

Each time HTTPS server is accessed, Internet Explorer tries to validate the certificate that server presented using online validation checks (OSCP for example). Unfortunately this is done by Microsoft Crypto API and not by IE itself. Microsoft Crypto API cannot show a popup to the user and thus fails to authenticate.

This is clearly visible in the following sample certificate validation request in WireShark:

GET http://crl4.digicert.com/sha2-ha-server-g4.crl HTTP/1.1\r\n
Accept: */*\r\n
User-Agent: Microsoft-CryptoAPI/6.1\r\n
Proxy-Connection: Keep-Alive\r\n
Host: crl4.digicert.com\r\n
\r\n

Doing the search on Google we see the following two articles.

Recommendations

1. Use Kerberos as method of AD authentication (recommended). See https://docs.diladele.com/administrator_guide_6_0/active_directory/index.html for all required steps.

2. Bypass authentication for Microsoft Crypto API. In order to do that, add Microsoft-CryptoAPI/6.1 as user agent bypass string in UI / Squid / Auth / Exclusions / User Agent. Not recommended.

3. Do not use Internet Explorer 🙂 Up to you to decide.

 

 

About sichent

sichent
This entry was posted in Linux. Bookmark the permalink.