I just tried using the same config, but commenting out the auth_param
basic lines.
Instead of being asked for a password this time, I only get to a cache
access denied page. An ethereal snoop of the http response from squid
shows the following
HTTP/1.0 407 Proxy Authentication Required
Server: squid/2.5.STABLE12
Mime-Version: 1.0
Date: Thu, 03 May 2007 18:53:16 GMT
Content-Type: text/html
Content-Length: 1322
Expires: Thu, 03 May 2007 18:53:16 GMT
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
X-Cache: MISS from proxy.domain.local
X-Cache-Lookup: NONE from proxy.domain.local:3128
Proxy-Connection: close
Notice that there aren't any
Proxy-Authenticate: ...
lines that tell IE what kind of authentication to attempt to use even
though the only authentication type is NTLM
-Mike
-----Original Message-----
From: movits@bloomberg.com [mailto:movits@bloomberg.com]
Sent: Thursday, May 03, 2007 2:45 PM
To: Mike Poublon
Subject: Re: [squid-users] NTLM + Squid - No NTLM Header being sent
On Thursday 03 May 2007 12:09 pm, Mike Poublon wrote:
> Whenever I try to access a page (using IE6 - should support NTLM),
> I get a dialog box asking for my username and password - which if
> provided authenticates me and I can browse the site.
I'm pretty sure that what you did was use *basic* auth and validate
the creds using NTLM. That's not the same thing as NTLM auth!
See:
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 10
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
All those basic auth_params are what's happening (and it's working
because the basic auth program is /usr/bin/ntlm_auth).
Mordy
-- Mordy Ovits Network Security Bloomberg L.P.Received on Thu May 03 2007 - 13:43:30 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:04 MDT