RE: [SQU] NTLM Authentication and Frontpage/IIS/Exchange

From: Timothy L. Minahan <sysop@dont-contact.us>
Date: Thu, 7 Dec 2000 18:52:35 +1100

(Note: Windows User here)

My knowledge of C is enough to compile and make squid. I wouldn't have
a clue on much past that. What I could do is provide a testing platform
for any code that is developed.

We are a strictly NT house with 3 different Active Dir Domains all in
the one Forest. Clients ranging from Macs - windows - Linux (Majority
running some version of Windows). We have a couple of IIS Servers that
are AD Controllers

If this is of any use .........

Cheers,
+-----------------------------------------------------------------------
----------------------------------------+
    Timothy L. Minahan

    System Administration
sysop@scc.edu.au <mailto:sysop@scc.edu.au>
    Southern Cross College
http://www.scc.edu.au <http://www.scc.edu.au/>
+-----------------------------------------------------------------------
----------------------------------------+

-----Original Message-----
From: Robert Collins [mailto:robert.collins@itdomain.com.au]
Sent: Friday, 1 December 2000 9:20
To: Timothy L. Minahan; Squid-Users@Ircache. Net (E-mail)
Subject: Re: [SQU] NTLM Authentication and Frontpage/IIS/Exchange

Yes. It's on Kinkie and my to-do list once ntlm is bedded down and
complete. The auth_rewrite branch was a (successful I think)
attempt to split out the authentication code into modules so that digest
can be added very easily.

Unfortunately we (my office) have been unsuccessful to date in getting
Digest Authentication to work from IIS unless the IIS server
is an AD server. (MS's doco is a bit confused - some places it quotes
"running on an AD DC" and others "AD must be available"....)

Anyway if you'd like to get started on Digest I'm sure we can make a
branch off of auth-rewrite for you to get started in.

see rfc 2617 for the spec.

Rob

----- Original Message -----
From: "Timothy L. Minahan" <sysop@scc.edu.au>
To: "Squid-Users@Ircache. Net (E-mail)" <squid-users@ircache.net>
Sent: Friday, December 01, 2000 8:40 AM
Subject: RE: [SQU] NTLM Authentication and Frontpage/IIS/Exchange

>
> Win2K supports digest authentication. It says that it is only for
win2k
> computers - has anyone thought of using this with squid?
>
> (More food for thought)
>
> Timothy
>
> -----Original Message-----
> From: Robert Collins [mailto:robert.collins@itdomain.com.au]
> Sent: Friday, 1 December 2000 8:20
> To: Palmer J.D.F.; squid-users@ircache.net
> Subject: Re: [SQU] NTLM Authentication and Frontpage/IIS/Exchange
>
>
> From the FAQ:
> http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.14
>
> The ntlm branch in squid add ntlm authentication to the proxy_auth
acl's
> used by squid. Note that NTLM cannot be proxied (even by
> microsoft proxy server).
>
> 11.14 How come Squid doesn't work with NTLM Authorization.
> We are not sure. We were unable to find any detailed information on
NTLM
> (thanks Microsoft!), but here is a reference.
>
>
> We quote from the summary at the end of the browser authentication
> section:
>
> In summary, Basic authentication does not require an implicit
> end-to-end state, and can therefore be used through a proxy server.
> Windows NT Challenge/Response authentication requires implicit
> end-to-end state and will not work through a proxy server.
>
>
> Squid transparently passes the NTLM request and response headers
between
> clients and servers. NTLM relies on a single end-end
> connection (possibly with men-in-the-middle, but a single connection
> every step of the way. This implies that for NTLM
> authentication to work at all with proxy caches, the proxy would need
to
> tightly link the client-proxy and proxy-server links, as
> well as understand the state of the link at any one time. NTLM through
a
> CONNECT might work, but we as far as we know that hasn't
> been implemented by anyone, and it would prevent the pages being
cached
> - removing the value of the proxy.
>
>
> NTLM authentication is carried entirely inside the HTTP protocol, but
is
> different from Basic authentication in many ways.
>
>
> 1.. It is dependent on a stateful end-to-end connection which
collides
> with RFC 2616 for proxy-servers to disjoin the client-proxy
> and proxy-server connections.
> 2.. It is only taking place once per connection, not per request.
Once
> the connection is authenticated then all future requests on
> the same connection inherities the authentication. The connection must
> be reestablished to set up other authentication or
> re-identify the user.
>
> The reasons why it is not implemented in Netscape is probably:
>
>
> a.. It is very specific for the Windows platform
> b.. It is not defined in any RFC or even internet draft.
> c.. The protocol has several shortcomings, where the most apparent
one
> is that it cannot be proxied.
> d.. There exists an open internet standard which does mostly the
same
> but without the shortcomings or platform dependencies:
> digest authentication.
>
>
> ----- Original Message -----
> From: "Palmer J.D.F." <J.D.F.Palmer@swansea.ac.uk>
> To: <squid-users@ircache.net>
> Sent: Friday, December 01, 2000 3:54 AM
> Subject: [SQU] NTLM Authentication and Frontpage/IIS/Exchange
>
>
> > Hello,
> >
> > I am new to the list and therefore apologise for asking you 'noddy'
> > questions, but I'm a bit stuck.
> >
> > The scenario:
> >
> > Here at the University of Wales Swansea we are running Squid on Red
> hat 6.0
> > and at present all student web (http) traffic goes through this
cache
> (or
> > its backup box). It is my aim to route all staff traffic through
this
> cache
> > also, the problem is that several of our web servers and all email
> servers
> > are NT boxes running a combination of Exchange 5.5, IIS 4 or IIS 5.
> > We have 2 domains, each having a primary and secondary domain
> controller.
> >
> > However if I route through the cache no one can authenticate to the
> various
> > NT servers (to either read email via the web or to publish webs via
> > frontpage), I realise that it is possible to use basic
authentication
> but it
> > is not really an option here.
>
> You might try Digest or SSL+Basic
>
> >
> > So I have built myself a development cache running Suse 7 and Squid
> > 2.4-20001129, I have patched this version of squid with the NTLM
patch
> and
> > have managed to compile it successfully. But the problem I have is
> that it
> > doesn't seem to make any difference.
>
> Because you are trying to pass NTLM through it, not authenticate to
it.
>
> > I have read that a few of you have had success in getting ntlm_auth
to
> work,
> > so I was hoping that someone would be able to tell what I'm missing
> out or
> > doing wrong.
>
> Assuming the Microsoft designed their security protocol with an eye to
> scalable systems is your only mistake :-]
>
> > Do I need to specify the domain controllers somewhere?
>
> To authenticate with NTLM yes. For what you are doing, no. If you want
> to try the authentication out (just for kicks!). then read
> on...
>
> > The configure options that I used were
> >
> > --enable-ntlm-authentication
> > --enable-basic-authentication
> > --enable-auth-modules='NCSA NTLM'
> > --enable-ntlm-auth-modules="NTLMSSP"
> >
> > and I uncommented the: # athenticate_program_ntlm
> > from the squid.conf file.
>
> The line you uncommented is an example line. IT WILL NOT WORK. You
must
> add in your site specific configuration.
>
> Rob
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Thu Dec 07 2000 - 00:57:27 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:52 MST