Re: [squid-users] NTLM not working for squid in windows server

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 26 Aug 2010 00:01:18 +0000

On Wed, 25 Aug 2010 17:32:41 +0100, Nick Cairncross
<Nick.Cairncross_at_condenast.co.uk> wrote:
> I have a related question:
>
> I have a Kerberos helper followed by an NTLM helper in my squid setup. I
> haven't yet figured out a way to deal with non-domain computers. Users
are
> prompted for the login, which they can't ever satisfy. However if they
> enter their credentials once (e.g. domain\username password) and then
> cancel the other prompts, they can click the link they were trying to
> access (contained in the Access Denied page) and they can browse. Access
> log show that it's the Kerberos-authenticated user that is allowed
access
> (not NTLM).
>
> Is there a better/proper way to allow non-domain computers access using
> NTLM/Kerberos? Would persistent connections help here?

Sounds a lot like some problems we have been investigating recently. 3.1.7
has many fixes resulting from that, though the
multiple-connection/multiple-challenge problem is still being looked at.

Persistent connections would help it recurring at later points, and are
required to reduce load on the authentication system. But that does not
seem to be the problem you face.

I advise using teh latest 3.x you can and the browser credentials manager
so the browser only needs to ask for the master password then can send out
the lesser credentials as needed for connections.

>
> version: 3.20STABLE

3.2.0.* only just hit beta earlier this month. Do you mean "3.0.STABLE20"
?

>
> Thanks
>
>
> On 25/08/2010 01:22, "Amos Jeffries" wrote:
>
>>On Tue, 24 Aug 2010 17:22:09 +0100, José Carlos Correia wrote:
>>> Dear all,
>>>
>>> I have installed Squid in Windows 2008 with NTLM authentication but
the
>>> browser still prompts for login.
>>>
>>> I read in the forums that NTLM won't work if:
>>> "- the client is not joined to a domain
>>> - the client is configured not to attempt automatica authentication to
>>> the proxy
>>> - the clients is not MSIE or Firefox (not sure about other browsers)"
>>
>>That last point is false. WMP and Java apps are known to do NTLM.
>>There is no reason other browsers on windows can't do it too.
>>
>>Add to that list:
>> - if the server closes the connection all the time behind HTTP/1.0
>>proxies (ie Squid).
>>
>>>
>>> In this case, Squid is replacing an ISA Server. NTLM was working with
>>> the ISA server but without any changes to the clients (just replacing
>>> the ISA Server by Squid) NTLM doesn't work.
>>>
>>> The only situation where the browser doesn't prompt for
authentication
>>> is when the server is added to the Trusted Zone and IE is configured
>>> with Automatic login. But this won't necessary with the ISA Server.
>>>
>>> What am I missing?
>>>
>>> Thanks,
>>> José Carlos Correia
>>
>>There has been a lot of testing and checking of NTLM and persistent
>>connections recently in exactly this area. Squid-3.1.7 contains a number
>>of
>>fixes.
>>
>>Amos
>
Received on Thu Aug 26 2010 - 00:01:23 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 26 2010 - 12:00:02 MDT