Hi,
I have a question about NTLM authentication protocol. Here is my relevant squid conf:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=internet-group
auth_param ntlm children 100
auth_param ntlm max_challenge_reuses 100
auth_param ntlm max_challenge_lifetime 5 minutes
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow AuthorizedUsers
http_access deny all
When a user, who is not the member of "internet-group", requests a webpage, authentication window appears (login and password).
In the proxy side, I see:
1138260038.968 0 10.2.32.248 TCP_DENIED/407 1428 GET http://www.index.hu/ - NONE/- text/html
1138260038.971 0 10.2.32.248 TCP_DENIED/407 1418 GET http://www.index.hu/ - NONE/- text/html
1138260038.977 4 10.2.32.248 TCP_DENIED/407 1428 GET http://www.index.hu/ - NONE/- text/html
My question is: is this the correct working?
http://en.wikipedia.org/wiki/NTLM
I think the first and second case, 407 answer is correct, because we have no information about if the authentication succeed.
But, when the client send the type 3 response, squid will access or deny the user. When denied, why send back 407 (403 would be great)? How can I change this behaviour?
Server: Debian GNU/Linux 3.1, squid 2.5.9-10sarge2, samba 3.0.14a-3sarge
Clients: Windows XP SP2, IE 6.0.2900.2180.xpsp_sp2_rtm.040803-2158
Thanks in advance,
Szabolcs Horvath
Received on Thu Jan 26 2006 - 02:25:56 MST
This archive was generated by hypermail pre-2.1.9 : Wed Feb 01 2006 - 12:00:01 MST