Re: [squid-users] Windows Authentication Helper client

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 28 Mar 2010 23:48:16 +1300

Matt Richards wrote:
> Hello,
>
> Does anybody know if any technique or application that will allow
> windows machines (XP and 7) to authenticate against a proxy when
> applications don't support proxy authentication.
>
> What I am looking for is an alternative to Novell's Client Trust, its an
> application that sits in the system tray and when a user attempts to use
> the proxy the proxy will connect back to the IP address of the
> requesting machine on a specific port and talk to the client trust
> application to establish what user is logged on to the machine.
>
> At the moment we have a number of authentication mechanisms setup,
> including Kerberos, NTLM, basic and a web based login form if the
> machine is not a member of our domain or logged into a guest account.
> This all works well most of the time but there are a few cases where the
> software just fails to work when it tries to connect and pointing the
> machine (IE or the software) at a proxy that doesn't require
> authentication work without issue.
>
> It also works if the machine is logged in as our guest user and the user
> authenticates to the web form as this doesn't require the software to
> authenticate as the proxy knows to map that IP address to the
> authenticated user.
>
> I have looked through the internet and thought about this for a while
> now and I still haven't really been able to come up with anything that
> doesn't involve writing our own application for the workstation and an
> authentication helper for squid. My programming skills are basic.
>
> There was one thought I had which was to write scripts to add an entry
> in a database (memcache) after a request for a page from a successful
> login and then check this database in one of the steps in attempting to
> identify the user. I would probably use storeurl_rewrite_program to
> update the database. Only issues with this is working out what I would
> set the timeout to (users bounce around machines here quite a lot), if
> this would slow down the proxy too much (~120 requests per second for
> each proxy), and if the application is an exam application (downloads
> content, no network usage for 40 mins while they answer questions, then
> uploads the results) so it times out before the upload and also for this
> to work they will have to request content and successfully
> authentication before they will have a cache entry.
>
> Sorry for the long email, if anybody has any ideas I would really like
> to hear about them.
>
> Cheers,
>
> Matt.
>
>

You mean IDENT protocol?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
   Current Beta Squid 3.1.0.18
Received on Sun Mar 28 2010 - 10:48:23 MDT

This archive was generated by hypermail 2.2.0 : Sun Mar 28 2010 - 12:00:06 MDT