Horváth Szabolcs wrote:
>Hi,
>
>I have a question about NTLM authentication protocol. Here is my relevant squid conf:
>
>auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=internet-group
>auth_param ntlm children 100
>auth_param ntlm max_challenge_reuses 100
>auth_param ntlm max_challenge_lifetime 5 minutes
>
>acl AuthorizedUsers proxy_auth REQUIRED
>http_access allow AuthorizedUsers
>http_access deny all
>
>When a user, who is not the member of "internet-group", requests a webpage, authentication window appears (login and password).
>
>In the proxy side, I see:
>
>1138260038.968 0 10.2.32.248 TCP_DENIED/407 1428 GET http://www.index.hu/ - NONE/- text/html
>1138260038.971 0 10.2.32.248 TCP_DENIED/407 1418 GET http://www.index.hu/ - NONE/- text/html
>1138260038.977 4 10.2.32.248 TCP_DENIED/407 1428 GET http://www.index.hu/ - NONE/- text/html
>
>My question is: is this the correct working?
>
>http://en.wikipedia.org/wiki/NTLM
>I think the first and second case, 407 answer is correct, because we have no information about if the authentication succeed.
>
>But, when the client send the type 3 response, squid will access or deny the user. When denied, why send back 407
>
This is fine,
If a proxy does not accept the credentials sent with a
request, it SHOULD return a 407 (Proxy Authentication Required).
See the 2617 RFC.
Thanks
-- Emilio CasbasReceived on Thu Jan 26 2006 - 02:40:25 MST
This archive was generated by hypermail pre-2.1.9 : Wed Feb 01 2006 - 12:00:01 MST