Ok. This all makes sense, I think. ;->. Due to the number of people and networks involved here, it is going to be interesting to straigten out all of this mess!
Thanks for the answers!
Mike Jacobi
-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: Sunday, September 12, 2004 4:55 PM
To: Jacobi Michael CRPH
Cc: Kinkie; squid-users@squid-cache.org
Subject: RE: [squid-users] HTTP Error 401.2
On Sat, 11 Sep 2004, Jacobi Michael CRPH wrote:
> One question - I have another set of users that also access this web
> site, through anohter network that uses a dirrent proxy setup (I don't
> know the gory details, but I think it is Microsoft ISA). All of this
> stuff works correctly for them. Microsoft ISA doesn't proxy this?
A few possible cenarios:
a) This ISA is not acting as a HTTP proxy for reaching these server,
just firewall.
b) They access it using https, not http
c) It just looks like it works, sometimes, but in fact there is a
total mess of who is who (once authenticated, any user may get the
authenticated users credentials by just accessing the site via the
proxy).
b) The server is sufficiently new and has support for the very Microsoft
specific hacks Microsoft has added to deal with proxying of "Microsoft
Integrated Login" and this is supported by the ISA version used there.
Squid does not support the above mentioned "HTTP extensions" as the whole
scheme they use still violates fundamental aspects of HTTP connection
management, and even Microsoft states openly that NTLM is not suitable for
Internet authentication due to the security implications on the local
domain. The difference is that now it is documented how they violate the
HTTP specs and that current MSIE browsers knows NTLM violates the specs.
Regards
Henrik
Received on Sun Sep 12 2004 - 17:36:36 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:02 MDT