Re: [squid-users] NT authentication with squid proxy

From: Raymond Jacob <jacob_raymond@dont-contact.us>
Date: Wed, 14 Nov 2001 18:36:27 +0000

From: Henrik Nordstrom <hno@squid-cache.org>
To: "Raymond Jacob" <jacob_raymond@hotmail.com>
CC: squid-users@squid-cache.org
Subject: Re: [squid-users] NT authentication with squid proxy
Date: Wed, 14 Nov 2001 17:47:50 +0100

On Wednesday 14 November 2001 16.37, Raymond Jacob wrote:

> thank you for your reply. I do appologize for being so dense
> but could you further elaborate on:
>
> > It is only HTTP proxies following the HTTP specifications it dislikes.

The NTLM authentication scheme is designed in such way that it collides with
connection management requirements in HTTP proxies put out by the HTTP
specification.

>>Thank you, now I understand I think. If I create a dumb plug on
>>my firewall for a site using NTLM to authenticate users.
>>My clients could go directly to the site through the dumb plug
>>on the firewall i.e. source address and port are NAT'd or if there
>>is a NTLM switch in squid to change default http proxy behaviour then I
>>could use squid to go through my dumb plug
>>on my firewall to the IIS web server?
>>
What this means is basically that any HTTP proxy designed to follow the
HTTP specification cannot proxy requests for NTLM authenticated content.

The NTLM authentication scheme is designed to be used on a local LAN only.

Use over the Internet is both stupid and very dangerous as it may reveal
information about your LAN account.
>>I certainly agree with the stupid part but alot of ISS administrators
>>including myself could not figure out an authentication method
>>like http password file that was not connected with SAM database
>>so we setup web servers with NTLM since it was not too
>>apparent as how to generate a key for SSL or our boss
>>thought everything MS did was secure.
>>
>>thanks again and I hope you don't flame
>>me for my questions which are proving very
>>enlightening to me.
>>Respectfully, Raymond
Regards
Henrik Nordström
Squid Hacker

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Received on Wed Nov 14 2001 - 11:36:29 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:04:12 MST