Basic LDAP Proxy Auth Bites Back Again

We have set up Squid box to authenticate users using Basic LDAP scheme. Access from Internet Explorer to most of the sites works fine. But checks for certificate revocation in Internet Explorer are failing. Why?

When user tries to access the remote site Internet Explorer shows a pop up box asking the user to authenticate. After typing correct credentials into that box user is able to browse the sites.

Each time HTTPS server is accessed, Internet Explorer tries to validate the certificate that server presented using online validation checks (OSCP for example). Unfortunately this is done by Microsoft Crypto API and not by IE itself. Microsoft Crypto API cannot show a popup to the user and thus fails to authenticate.

This is clearly visible in the following sample certificate validation request in WireShark:

GET http://crl4.digicert.com/sha2-ha-server-g4.crl HTTP/1.1\r\n
Accept: */*\r\n
User-Agent: Microsoft-CryptoAPI/6.1\r\n
Proxy-Connection: Keep-Alive\r\n
Host: crl4.digicert.com\r\n
\r\n

Doing the search on Google we see the following two articles.

Recommendations

1. Use Kerberos as method of AD authentication (recommended). See https://docs.diladele.com/administrator_guide_6_0/active_directory/index.html for all required steps.

2. Bypass authentication for Microsoft Crypto API. In order to do that, add Microsoft-CryptoAPI/6.1 as user agent bypass string in UI / Squid / Auth / Exclusions / User Agent. Not recommended.

3. Do not use Internet Explorer 🙂 Up to you to decide.

 

 

About sichent

sichent
This entry was posted in Linux. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s