RE: NTLM question

From: Chemolli Francesco (USI) <ChemolliF@dont-contact.us>
Date: Mon, 20 Aug 2001 15:56:38 +0200

> Squid cannot proxy NTLM authentication becasuse Microsft NTLM
> authentication
> does not follow HTTP specifications on persistent connection
> management and
> authentictaion.
>
> HTTP specifies that persistent connections are managed
> intependently beteen
> client<->proxy and proxy<->server to allow efficient sharing of server
> connections. Further, authentication is to take place per
> message, not per
> connection.
>
> NTLM authentication requires unique persistent
> client<->server connections with
> absolutely no sharing of the server connection between
> multiple clients.

It is worth noticing that recent version of MS Internet Explorer
WILL NOT EVEN ATTEMPT to perform NTLM authentication if a proxy
is in use to reach the destination host.

This emerged when Robert and I were attempting to perform
upstream connection pinning to work around the deficiencies of
MS's protocol.
This does NOT depend on Squid. MSIE performs the same when using
MS's own Proxy product.

Solution? Bitch with the site webmaster or provide workarounds via
proxy.pac.

-- 
	/kinkie
Received on Mon Aug 20 2001 - 07:47:34 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:13 MST