The browser can only authenticate to the first proxy. This is a
limitation of the HTTP protocol. It is then the responsibility of this
proxy to authenticate to any upstream proxy if required.
When using Basic HTTP authentication you can chain the authentication on
multiple proxies IFF all of them shares the same password database. See
the cache_peer login= option. This also works for Digest if the first
proxy is not doing any authentication, but cannot be used for proxying
the NTLM authentication scheme.
If using NTLM of Digest scheme on the first proxy you cannot forward the
authentication of the client to the upstream proxy. Your alternatives
are then to either
a) Reconfigure the upstream to allow requests from the sibling without
requiring authentication
b) Use the login= cach_peer option on the sibling to specify which
user the sibling should authenticate as to the upstream proxy.
Regards
Henrik
Chris Vaughan wrote:
>
> Greetings.
>
> I am trying to authenticate from a sibling cache using ntlm, sending
> requests out through a parent.
>
> If the parent uses NCSA auth, the sibling serves back pages that cannot be
> navigated due to authentication failures.
>
> If the parent is also using ntlm, then a password/userid prompt, that will
> not accept any input, appears.
>
> Any Ideas?
>
> ***************************************************************
> This message is intended for the addressee named and
> may contain confidential information. If you are not the
> intended recipient, please delete it and notify the sender.
> Views expressed in this message are those of the
> individual sender, and are not necessarily the views of the
> Department of Information Technology & Management.
>
> This email message has been swept by MIMEsweeper
> for the presence of computer viruses.
> ***************************************************************
Received on Thu Feb 13 2003 - 18:20:22 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:22 MST