On Tue, 8 Nov 2011 07:41:57 -0800 (PST), franzo318 wrote:
> hi guys,
>
> installation: squidnt 2.7-8 on Win2008R2(domainmember srv)
> clients: win7/other 2008R2 Server
> configuration: with user authentication ->
> auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
>
> result: proxy ist not able to authenticate the client request because
> it can
> not handle the default win7/2008 R2 security setting "LAN
> Manager-Authenticaton-level"
> it would only work, if this setting would be changed from default to
> "ntlm
> only" -> but this change would result in an securityhole!!!
>
> the same problem occurs while using the negotiate scheme and
> auth_param negotiate program
> c:/squid/libexec/mswin_negotiate_auth.exe
>
> my fazit:
> user authentication with squidnt 2.7 in an 2008r2/win7 environment,
> is not
> possible without security impact.
Um, "SquidNT 2.7" was a copyright infringing trojan built from Squid
sources. I hope you mean the Acme packaged build of "Squid 2.7" for
Windows. "SquidNT" also being the internal alpha code name which was
dropped when the Windows support was merged to the stable releases of
Squid.
>
> is this right? or can anbody provide an workaround to the described
> problem?
Since the Win2008 default is Kerberos authentication (AKA
negoiate/Kerberos) rather than NTLM the use of mswin_ntlm_auth.exe is
itself a/the security hole in a manner of speaking.
mswin_negotiate_auth.exe uses the Windows native APIs to do Kerberos,
so should work. But 2.7 is a bit old and there may be some small API
updates needed since it was released. You may want to contact Guido at
Acme for support.
HTH
Amos
Received on Wed Nov 09 2011 - 01:11:47 MST
This archive was generated by hypermail 2.2.0 : Wed Nov 09 2011 - 12:00:03 MST