Re: [squid-users] NTLM authentication testing

From: Guido Serassio <guido.serassio@dont-contact.us>
Date: Tue, 19 Feb 2008 19:48:27 +0100

Hi,

At 16:36 19/02/2008, Richard Wall wrote:

>Guido,
>
>Yep, I've looked at it, but have not completely absorbed it yet :)

But you should, probably it's the better NTLM explanation on the net ... :-)

> Another question, what type of NTLM authentication is supported by curl ?
> > Lan manager/NTLMv1 or full NTLMv2 ? (See the previous link for details)
>
>I'm not sure, but in full debug mode, curl will show the various
>headers it exchanges with the server.
>It seems to correspond to:
> * http://devel.squid-cache.org/ntlm/client_proxy_protocol.html
>
>...but of course we're starting at point 4 which means that in real
>life, there'd be even more squid requests I guess.

Likely should be NTLMv1, NTLMv2 requires client and server mutual
authentication provided by Domain Controllers.

>Doesn't the --helper-protocol=squid-2.5-ntlmssp in squid.conf
>determine that NLTMv2 will be used? Looking at the man page for
>ntlm_auth suggests that lanman auth would require different
>parameters:
>
> * http://us1.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html

No, this ALLOW the support for the NTLM NEGOTIATE packet needed for
NTLMv2, but the NTLM version is always negotiated between winbindd
and the browser.

>This may seem like a stupid question, and my vague understanding of
>kerberos may be way off, but aren't there better alternatives to NTLM
>proxy auth if you're authenticating only against Active Directory
>servers?
>
>Doesn't Kerberos provide a time limited token to the authenticated
>windows domain client that can be passed to other machines in the
>domain as proof that the client is authenticated; and which can be
>used to lookup what services the client has acces to.
>
>In a perfect world shouldn't Internet Explorer just pass this token
>along with all requests to other machines in the same domain.

Negotiate it's the future: it's Kerberos based and the packet
exchange is shorter than NTLM (but packets are larger). The only
drawback is that Samba 3 doesn't support it .....

Other limit is that you need at least Internet Explorer 7 or Firexox 1.5.

It's very easy to use running Squid on Windows with native helpers,
or you can try the new squid_kerb_auth helper:
http://www.squid-cache.org/mail-archive/squid-users/200801/0257.html

>My aims are:
> * to have a proxy that is only available to authenticated windows
> domain users.
> * that Internet Explorer should not prompt the user for their
>username and password if they have already logged onto the domain.
> * that squid should be able to record usernames alongside requests
> in its logs.
> * That dans guardian should be able to identify the username of the client.
>
>Is there some way I can get all this without paying the penalty of NTLM auth?

Sure, negotiate.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Tue Feb 19 2008 - 11:49:44 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:05 MST