I have a related question:
I have a Kerberos helper followed by an NTLM helper in my squid setup. I
haven't yet figured out a way to deal with non-domain computers. Users are
prompted for the login, which they can't ever satisfy. However if they
enter their credentials once (e.g. domain\username password) and then
cancel the other prompts, they can click the link they were trying to
access (contained in the Access Denied page) and they can browse. Access
log show that it's the Kerberos-authenticated user that is allowed access
(not NTLM).
Is there a better/proper way to allow non-domain computers access using
NTLM/Kerberos? Would persistent connections help here?
version: 3.20STABLE
Thanks
On 25/08/2010 01:22, "Amos Jeffries" <squid3_at_treenet.co.nz> wrote:
>On Tue, 24 Aug 2010 17:22:09 +0100, José Carlos Correia
><jcorreia_at_tintadigital.com> wrote:
>> Dear all,
>>
>> I have installed Squid in Windows 2008 with NTLM authentication but the
>> browser still prompts for login.
>>
>> I read in the forums that NTLM won't work if:
>> "- the client is not joined to a domain
>> - the client is configured not to attempt automatica authentication to
>> the proxy
>> - the clients is not MSIE or Firefox (not sure about other browsers)"
>
>That last point is false. WMP and Java apps are known to do NTLM.
>There is no reason other browsers on windows can't do it too.
>
>Add to that list:
> - if the server closes the connection all the time behind HTTP/1.0
>proxies (ie Squid).
>
>>
>> In this case, Squid is replacing an ISA Server. NTLM was working with
>> the ISA server but without any changes to the clients (just replacing
>> the ISA Server by Squid) NTLM doesn't work.
>>
>> The only situation where the browser doesn't prompt for authentication
>> is when the server is added to the Trusted Zone and IE is configured
>> with Automatic login. But this won't necessary with the ISA Server.
>>
>> What am I missing?
>>
>> Thanks,
>> José Carlos Correia
>
>There has been a lot of testing and checking of NTLM and persistent
>connections recently in exactly this area. Squid-3.1.7 contains a number
>of
>fixes.
>
>Amos
The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author.
The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Received on Wed Aug 25 2010 - 16:32:45 MDT
This archive was generated by hypermail 2.2.0 : Thu Aug 26 2010 - 12:00:02 MDT