[squid-users] Windows Authentication Helper client

From: Matt Richards <matt_at_mattstone.net>
Date: Fri, 26 Mar 2010 10:17:11 +0000

Hello,

Does anybody know if any technique or application that will allow
windows machines (XP and 7) to authenticate against a proxy when
applications don't support proxy authentication.

What I am looking for is an alternative to Novell's Client Trust, its an
application that sits in the system tray and when a user attempts to use
the proxy the proxy will connect back to the IP address of the
requesting machine on a specific port and talk to the client trust
application to establish what user is logged on to the machine.

At the moment we have a number of authentication mechanisms setup,
including Kerberos, NTLM, basic and a web based login form if the
machine is not a member of our domain or logged into a guest account.
This all works well most of the time but there are a few cases where the
software just fails to work when it tries to connect and pointing the
machine (IE or the software) at a proxy that doesn't require
authentication work without issue.

It also works if the machine is logged in as our guest user and the user
authenticates to the web form as this doesn't require the software to
authenticate as the proxy knows to map that IP address to the
authenticated user.

I have looked through the internet and thought about this for a while
now and I still haven't really been able to come up with anything that
doesn't involve writing our own application for the workstation and an
authentication helper for squid. My programming skills are basic.

There was one thought I had which was to write scripts to add an entry
in a database (memcache) after a request for a page from a successful
login and then check this database in one of the steps in attempting to
identify the user. I would probably use storeurl_rewrite_program to
update the database. Only issues with this is working out what I would
set the timeout to (users bounce around machines here quite a lot), if
this would slow down the proxy too much (~120 requests per second for
each proxy), and if the application is an exam application (downloads
content, no network usage for 40 mins while they answer questions, then
uploads the results) so it times out before the upload and also for this
to work they will have to request content and successfully
authentication before they will have a cache entry.

Sorry for the long email, if anybody has any ideas I would really like
to hear about them.

Cheers,

Matt.
Received on Fri Mar 26 2010 - 10:17:25 MDT

This archive was generated by hypermail 2.2.0 : Sun Mar 28 2010 - 12:00:06 MDT