|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2005
/
2005-07
/
IE, Exchange and SSL issue
[
HTTP Request Smuggling / Andrew Taylor ... ]
[
URL Filtering based on the domain name alone? / ... ]
IE, Exchange and SSL issue
Martin Glazer <sourceforge(at)glazer.ca> |
2005-07-14 04:28:35 |
[ FULL ]
|
Hi,
I'm adding Pound to a small cd based distribution called Devil Linux
(www.devil-linux.org). Everything works correctly, including running pound in
a chroot jail except for the Internet Explorer, MS Exchange and SSL
combination.
Accessing Exchange (OWA) using a browser other than IE works correctly, but as
soon as I try with IE, I get the request for user name and password and then
a "The page cannot be displayed" error message.
I have read the FAQ, README as well as searched the mailing list, and tried
all the suggested solutions, but still cannot get it to work.
I am using Pound 1.9
All I am getting in the logs is
Jul 13 20:17:43 Saint pound: xxx.xxx.xxx.xxx GET /exchange HTTP/1.1 - HTTP/1.1
401 Unauthorized (192.168.0.8:80)
Steps I have taken -
Compiled pound with "--enable-msdav"
Added WebDAV 1
added HTTPSHeaders 0 "Front-End-Https: on" (although in the notes it says to
put this value to 1, it doesn't work either way - 1 asks the client for a
certificate)
added "ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN
ULL"
Tried different combination of ports.
Below is my pound config file.
I am at a loss as to what to try next... any suggestions?
Thanks
Martin
=================================
User nobody
Group nogroup
RootJail /jail/POUND
ExtendedHTTP 1
WebDAV 1
# Tell Exchange we are using HTTPS on the front end
HTTPSHeaders 0 "Front-End-Https: on"
LogLevel 2
Alive 30
ListenHTTPS *,443 /etc/cacert.pem "ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:
+LOW:+SSLv2:+EXP:+eNULL"
##
UrlGroup ".*"
BackEnd 192.168.0.8,80,1
EndGroup
=======================================
|
|
|
Re: [Pound Mailing List] IE, Exchange and SSL issue
Robert Segall <roseg(at)apsis.ch> |
2005-07-14 13:02:38 |
[ FULL ]
|
On Wed, 13 Jul 2005 20:28:35 -0600 Martin Glazer
<sourceforge(at)glazer.ca>
wrote:
[...]
You have certainly gone the right way about this, so there is not much I
can offer (aside from a few snide remarks in the general direction of
Redmond).
1. Try adding "NoHTTPS11 2" to your config file. This will disable HTTP
1.1 for MSIE clients - seems to help sometimes.
2. Check in your OWA setup if it sends you to different pages, depending
on the browser id string (or perhaps tries loading an ActiveX control if
you use IE, which in turn may use non-standard methods for OWA access).
3. Try having Pound run without the RootJail and/or setuid/setgid, just
in case.
4. Let's have some more people tell us what they did to get it
working right.[...]
|
|
|
Re: [Pound Mailing List] IE, Exchange and SSL issue
Frank Schmirler <frank.schmirler(at)linogate.com> |
2005-07-14 13:14:51 |
[ FULL ]
|
Hi Martin,
On Wed, Jul 13, 2005 at 08:28:35PM -0600, Martin Glazer wrote:[...]
check the authentication scheme configured in IIS. Most likely IIS
will request kerberos (negotiate), ntlm and basic auth in the given
order. As IE supports all three methods it will use the first one which
usually fails via Internet. Non-IE browsers in contrast will use basic
auth and succeed.
Good luck,
Frank
[...]
|
|
|
AW: [Pound Mailing List] IE, Exchange and SSL issue
"Dr. Oliver C. Radke" <oradke(at)pcat.de> |
2005-07-14 13:51:21 |
[ FULL ]
|
Hi!
Actuallay I have the same problem. I tried several different "HTTPSHeaders "
settings, but that didn't change much.
I guess Pound doesn't supply the credentials to IIS.
Oliver Radke
-----Ursprüngliche Nachricht-----
Von: Robert Segall [mailto:roseg(at)apsis.ch]
Gesendet: Donnerstag, 14. Juli 2005 13:15
An: pound(at)apsis.ch
Betreff: Re: [Pound Mailing List] IE, Exchange and SSL issue
On Wed, 13 Jul 2005 20:28:35 -0600 Martin Glazer
<sourceforge(at)glazer.ca>
wrote:
[...]
You have certainly gone the right way about this, so there is not much I can
offer (aside from a few snide remarks in the general direction of Redmond).
1. Try adding "NoHTTPS11 2" to your config file. This will disable HTTP
1.1 for MSIE clients - seems to help sometimes.
2. Check in your OWA setup if it sends you to different pages, depending on the
browser id string (or perhaps tries loading an ActiveX control if you use IE,
which in turn may use non-standard methods for OWA access).
3. Try having Pound run without the RootJail and/or setuid/setgid, just in
case.
4. Let's have some more people tell us what they did to get it working right.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904
--
To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-07/1121308115000/1121338958000
|
|
|
Re: [Pound Mailing List] IE, Exchange and SSL issue
Martin Glazer <sourceforge(at)glazer.ca> |
2005-07-15 23:57:16 |
[ FULL ]
|
Frank,
[...]
Thanks for the tip - that appeared to fix the authentication problem and I can
now get further along and actually see the list of folders and actions on the
left hand side, BUT the centre panel which shows the list of emails, just
says Loading... all the time and never actually loads.
I'm not sure how to debug this part, maybe checking the server logs.
Martin
|
|
|
Re: [Pound Mailing List] IE, Exchange and SSL issue
Martin Glazer <sourceforge(at)glazer.ca> |
2005-07-16 00:01:55 |
[ FULL ]
|
Robert,
<snip>
[...]
tried this - no difference
[...]
I'll have to look into this further - I'm not that familiar with IIS, so will
have to do more research
[...]
Tried without the jail and the uid - still an issue
[...]
Frank Schmirler suggested I disable NTLM authentication and this appeared to
do the trick, although not completely - IE does not load the list of emails,
just says Loading... all the time.
Thanks for the help
Martin
|
|
|
|
