Re: [squid-users] Integrated Windows Authentication through Squid

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 14 Jan 2012 19:44:19 +1300

On 14/01/2012 4:41 a.m., Javier Conti wrote:
> Hi list,
>
> I'm trying to setup access to several internal websites that use
> Integrated Windows Authentication in a Windows XP/7/2008
> environment through Squid 3.1.12. I successfully setup Squid
> to authenticate users using Kerberos or NTLM. With Internet
> Explorer and Firefox, users successfully authenticate to squid
> and get access to all websites (those without Integrated
> Windows Authentication actually work fine).
>
> However, all websites using Integrated Windows Authentication
> respond with a 401.1 Access Denied error, as it seems the
> request reaches the web server without information about the
> user's credential. Accessing those websites directly, works fine.
>
> I still don't fully understand how Integrated Windows Authentication
> really works, but is anyone successfully using it through a proxy?
> Any hints or links to documentation on how it should work in detail?
>
> Thanks, Javier

NTLM does not work over the Internet due to the way it requires breaking
HTTP protocol. Not many admin are happy breaking overall network
performance to cater for MS product design.

Kerberos is updated to fix several of the major problems NTLM had in the
handshake portion. As a result of that change it shodul in theory work
over the Internet more often. It still requires persistent connections
for anything like good performance and still depends on the "pinning"
hack to break HTTP multiplexing and emulate a end-to-end TCP connection.

So the asnwer is "yes, it works successfuly through Squid." but that
does not cover whether it works through any of your hardware, firewalls,
IDS systems, NAT systems your upstream providers, their providers, the
sites provider etc. There is a LOT of hardware and software involved.
Any one of which could break the requirements Windows LAN auth systems
depend on.

The authentication protocols which were designed to work as part of the
HTTP protocol operate just fine when sent over the Internet. As you saw.

Amos
Received on Sat Jan 14 2012 - 06:44:29 MST

This archive was generated by hypermail 2.2.0 : Mon Jan 16 2012 - 12:00:02 MST