Re: [squid-users] NTLM authentication login popups

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 21 Aug 2010 20:53:20 +1200

Tuan Nguyen wrote:
> Thanks Kinkie but I'm still getting the popup window (tried with both
> IE and FF). The client machine is joined to a domain. Basically I'm
> trying to force an Access Denied page on this client instead of the
> popup. The wiki does suggest an "all hack" but it's not working for
> me:
>
> http://wiki.squid-cache.org/Features/Authentication#How_do_I_prevent_Login_Popups.3F
>

You had it inverted. Kinkies' suggestion got you halfway there.

This:
   acl ntlmauth proxy_auth REQUIRED
   http_access allow ntlmauth all
   http_access deny all

Will permit successfully pre-authed users and send back "Access Denied"
to the rest.

However there is a critical flaw with NTLM which may bite you here...
  * NTLM *requires* a 407 challenge to be sent back with a token used
in sending the followup credentials.
  * the "all" hack prevents the 407 header containing that token being
sent. (It's presence is the trigger for the browser to potentially do
the popup).
Understanding those two facts, its highy likely that browsers will never
send acceptable NTLM tokens.

NTLM without the initial challenges is equivalent to Kerberos. So if you
want this to be reliably working you had best look at the upgrade to
that auth protocol.

One other thing to be aware of; The browser is the software what decides
whether a popup occurs, and will only do so if it has no credentials or
the ones it already tried have failed.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.6
   Beta testers wanted for 3.2.0.1
Received on Sat Aug 21 2010 - 08:53:29 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 21 2010 - 12:00:02 MDT