How to authenticate .NET2 Webservice with a SQUID proxy

Question

I've got a little utility that is a SOAP WebService client. The SOAP-proxy is generated from WSDL. It was working fine.

Now the customer wants to use a SQUID proxy, but that refuses to authenticate my SOAP client.

I have already tried:

 MyWebservice ws = new MyWebservice();
 // set URL etc.
 // login for the actual service, this part works
 HeaderLogin hl = new HeaderLogin();
 hl.username = svcLogin;
 hl.password = svcPassword;
 ws.HeaderLoginValue = hl;

 // setting up the Proxy of the Proxy
 //ws.Proxy = System.Net.WebRequest.GetSystemWebProxy();
 ws.Proxy = System.Net.WebRequest.DefaultWebProxy;

 //ws.Proxy.Credentials = CredentialCache.DefaultCredentials;                
 ws.Proxy.Credentials = new NetworkCredential(proxyUser, proxyPassword, proxyDomain);

But I keep getting the HTTP 407 error: Proxy authentication required.

SQUID (squid/2.7.STABLE4) is setup to use NTLM and AD for the authentication. That seems to work OK: there are other WebService clients that are getting through the Proxy OK.

I don't have direct access to the site but only some logfiles to look at. Most remarkable is what I can see in the PCAP (Wireshark) files. When I create a NetworkCredential with userName="Henk", domain="TEST" it shows up in the PCAP as

... HTTP CONNECT someurl:443 HTTP/1.1 , NTLMSSP_AUTH, User: T\H

And when I look at the PCAP for a working service

... HTTP CONNECT someurl:443 HTTP/1.0 , NTLMSSP_AUTH, User: TEST\Henk

And in the SQUID acces.log all attempts are shown as:

... 0 192.168.15.95 TCP_DENIED/407 1759 CONNECT someurl:443 - NONE/- text/html
... 32 192.168.15.95 TCP_DENIED/407 2055 CONNECT someurl:443 - NONE/- text/html
... 31 192.168.15.95 TCP_DENIED/407 1759 CONNECT someurl:443 - NONE/- text/html

Concrete questions:

• any known issues with .NET2 SOAP and Squid?
• is the display of TEST\Henk as T\H significant?
• anything else I should be looking for?

Answer 1

The T\H could be an indication that you have Unicode string being used as ASCII string. Since Unicode characters are two bytes (the most common case on Windows), if you interpret them as ASCII you get the real character and a null terminator byte.

I wouldn't expect to see that type of error in a .NET app, but you never know.

Answer 2

I see that squid log shows access denied to someurl:443... port 443 is a secure channel port (SSL). In common practice webservices hosted on SSL require some sort of a authentication. please check the webservice credential requirements. you may have to pass the credentials or authenticate yourself as a valid client through a certificate.

Answer 3

It is possible that the NTLM connection is being recycled before the connection is completed resulting in a new/second anonymous connection request and the 407 error.

Try overriding the GetWebRequest(Uri uri) method and set the KeepAlive property to false.

Edit the Reference.cs file with the following:

protected override WebRequest GetWebRequest(Uri uri)
{
   HttpWebRequest webRequest = (HttpWebRequest)base.GetWebRequest(uri);
   webRequest.KeepAlive = false;
   return webRequest;
}

Just remember that updating the web reference will cause Visual Studio to regenerate the file and you'll need to modify the file again.

Answer 4

can you try add "http_access allow" to the domain in your squid config