RE: [SQU] NTLM Authentication and Frontpage/IIS/Exchange

From: Robert Collins <robert.collins@dont-contact.us>
Date: Fri, 1 Dec 2000 22:56:30 +1100

> -----Original Message-----
> From: Chemolli Francesco (USI) [mailto:ChemolliF@GruppoCredit.it]
> Sent: Friday, 1 December 2000 8:52 PM
> To: Robert Collins; Timothy L. Minahan; Squid-Users@Ircache. Net
> (E-mail)
> Subject: RE: [SQU] NTLM Authentication and Frontpage/IIS/Exchange
>
>
> > Yes. It's on Kinkie and my to-do list once ntlm is bedded
> > down and complete. The auth_rewrite branch was a
> (successful I think)
> > attempt to split out the authentication code into modules so
> > that digest can be added very easily.
> >
> > Unfortunately we (my office) have been unsuccessful to date
> > in getting Digest Authentication to work from IIS unless the
> > IIS server
> > is an AD server. (MS's doco is a bit confused - some places
> > it quotes "running on an AD DC" and others "AD must be
> available"....)
>
> Might be because NT stores in the SAM not the clear-text passwords,
> but the mangled "password equivalent" hashes (for "security
> reasons", never
> mind that they're not called "password equivalents" for fun).

They only support it inder Win2k - they extend the storage mechanism for
passwords - users can only use the system after setting the option
against their account, and then changing their pw...

>
> Digest uses a different crypto algorithm, so it requires either
> cleartext passwords or a different mangling on the password.

Digest uses straight MD5. MS's documentation states that they have to
store the cleartext password - which goes against the Digest spec (all
the WWW server needs access to is the MD5 hash.).
 
> > Anyway if you'd like to get started on Digest I'm sure we can
> > make a branch off of auth-rewrite for you to get started in.
>
> Wouldn't it be better to first swap the auth-rewrite and NTLM
> branches?
>
Oh certainly that bit of mechanics will take place before the act of
creating a digest branch - but I figured we can encourage development
before the swap over.

I think the easiest swap will simply be a patch kit for
HEAD->auth_rewrite and get all the ntlm changes into auth_rewrite (they
are at the moment) immediately prior to the swap. Then rm auth_rewrite,
recreate from HEAD, apply the patch kit, rm ntlm, recreate from
auth_rewrite. It does lose the history though. Comments?

Rob

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Fri Dec 01 2000 - 05:03:20 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:48 MST