> Hi all...
>
> I'm trying to set up automatic authentication for users running IE on
> Windows 2000. I see from a previous discussion on this list
> that it has been
> done.
> Just be sure I understand, using NTLM and MSNT authentication
> the user won't
> need to log in manually for the proxy unless the user is
> using a browser
> that is not IE 5 or newer, basically having logged in to the NT Domain
> should be suffient?
>
> The basic MSNT authentication works fine. I'm presented with the login
> prompt from IE, typing my username and password for the NT
> Domain allows me
> access.
>
> I'm trying to do the same but I'm failing. Using the
> configuration below I'm
> asked to log in to proxy.
> I'm running Internet Explorer 5 under Windows 2000.
> PDC and BDC are Windows 2000 servers.
What does your cache.log say? With our proxies I still get it not fully
under controle. Most of the time it keeps showing the popup box at the
beginning of within a session. Check also you authntication log on your BDC.
>
> Squid is the latest (head-20011004) running on a Slackware 7 linux.
> These are the variables I used with the configure script.
>
> --prefix=/usr/local/squid25
> --enable-auth="basic,ntlm"
> --enable-basic-auth-helpers="MSNT"
> --enable-ntlm-auth-helpers="NTLMSSP"
>
I configured also --disable-internal-dns and use the host file for the BDC
and PDC. It seems to work a bit better.
> Here are the relevant lines in my squid.conf
>
> auth_param ntlm program /usr/local/squid25/libexec/squid/ntlm_auth -b
> domain/dc1 domain/dc2
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
I use it without the -b parameter (does not seem to make much of a
difference) and have 'auth_param ntlm max_challenge_reuses 1'
>
> auth_param basic program /usr/local/squid25/libexec/squid/msnt_auth
> auth_param basic children 4
> auth_param basic realm W2Kdomain
> auth_param basic credentialsttl 5
>
> acl internal 192.168.1.0/255.255.255.0
> acl password proxy_auth REQUIRED
>
> http_access allow internal password
> http_access deny all
>
>
> --
> Best regards
> Kalle Andersson
> kan@gronaverket.se
>
Received on Wed Oct 10 2001 - 02:27:54 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:39 MST