Re: [squid-users] NT multi domain authentication

From: <michele.de-martin@dont-contact.us>
Date: Fri, 28 Feb 2003 17:15:03 +0100

Ok, let's go for some scenarios.

1) User domain and workstation domain are the same.
Using the domain of the initial negotiate packet we can achieve multiple
not trusted domain authentication.

2) User domain differs from workstation domain but the two domains are in a
trust relationship
Given the trust, can we authenticate against the workstation domain instead
of the user one?

3) User domain differs from workstation domain and they are not in a trust
relationship.
No hope. Is this a feasible situation?

Anyway.
For points 2) and 3): can we send to the browser a second (and correct)
challenge packet after we receive the client authenticate packet with the
correct domain?

Example:
C->S: get www.google.com
S->C: 407 Proxy Authentication Required, Proxy-Authenticate: NTLM
C->S: get www.google.com Proxy-Authorization: NTLM Negotiate packet
with workstation domain DOMAIN1
S->DC1: gets challenge for domain DOMAIN1 from DC1
S->C: 407 Proxy Authentication Required, NTLM Challenge packet (from
DC1)
C->S: get www.google.com Proxy-Authorization: NTLM Authenticate
packet with user domain DOMAIN2

      if DOMAIN1 == DOMAIN2
S-DC: check the Authenticate packet against DC1

      else /* DOMAIN1 != DOMAIN2 */
S->DC: gets challenge for domain DOMAIN2 from DC2
S->C: 407 Proxy Authentication Required, NTLM Challenge packet (from
DC2)
C->S: get www.google.com Proxy-Authorization: NTLM Authenticate
packet with user domain DOMAIN2
S-DC: check the Authenticate packet against DC2
      endif
S->C: 200 OK or 407 ERR again

Last note.
For me point 1) is the most important: the only one I must face up to.
Is it possible to include point 1) in squid ntlm authentication with some
warning about its limitations?

I'm sure I've missed something important in my thoughts :)
Thank you very much for your help.

Michele

|---------+------------------------------------------------------------------------>
| | Henrik Nordstrom <hno@squid-cache.org> |
| | Sent by: |
| | squid-users-return-26290-michele.de-martin=electrolux.it@squi|
| | d-cache.org |
| | |
| | |
| | 02/28/2003 02:57 PM |
| | |
|---------+------------------------------------------------------------------------>
>------------------------------------------------------------------------------------------|
  | |
  | To: Robert Collins <robertc@squid-cache.org> |
  | cc: Michele De Martin/Electrolux IT Solutions/Italy/Electrolux |
  | Group@Electrolux |
  | squid-users@squid-cache.org |
  | Subject: Re: [squid-users] NT multi domain authentication |
>------------------------------------------------------------------------------------------|

fre 2003-02-28 klockan 13.07 skrev Robert Collins:

> You can't solve this. The correct domain information is not available at
> that step in the auth process. (see http://devel.squid-cache.org/ntlm
> for more info).

To further explain what robert and the devel docs says is that the
initial negotiate packet of NTLM contains the domain of the workstation
used, not the domain of the user who tries to log in.

--
Henrik Nordstrom <hno@squid-cache.org>
MARA Systems AB, Sweden
Received on Fri Feb 28 2003 - 09:15:48 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:45 MST