Re: [squid-users] Integrated Windows Authentication through Squid

From: Javier Conti <javier.conti_at_gmail.com>
Date: Mon, 16 Jan 2012 09:34:32 +0100

On 14 January 2012 07:44, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 14/01/2012 4:41 a.m., Javier Conti wrote:
>>
>> Hi list,
>>
>> I'm trying to setup access to several internal websites that use
>> Integrated Windows Authentication in a Windows XP/7/2008
>> environment through Squid 3.1.12. I successfully setup Squid
>> to authenticate users using Kerberos or NTLM. With Internet
>> Explorer and Firefox, users successfully authenticate to squid
>> and get access to all websites (those without Integrated
>> Windows Authentication actually work fine).
>>
>> However, all websites using Integrated Windows Authentication
>> respond with a 401.1 Access Denied error, as it seems the
>> request reaches the web server without information about the
>> user's credential. Accessing those websites directly, works fine.
>>
>> I still don't fully understand how Integrated Windows Authentication
>> really works, but is anyone successfully using it through a proxy?
>> Any hints or links to documentation on how it should work in detail?
>>
>> Thanks, Javier
>
>
> NTLM does not work over the Internet due to the way it requires breaking
> HTTP protocol. Not many admin are happy breaking overall network performance
> to cater for MS product design.
>
> Kerberos is updated to fix several of the major problems NTLM had in the
> handshake portion. As a result of that change it shodul in theory work over
> the Internet more often. It still requires persistent connections for
> anything like good performance and still depends on the "pinning" hack to
> break HTTP multiplexing and emulate a end-to-end TCP connection.
>
> So the asnwer is "yes, it works successfuly through Squid." but that does
> not cover whether it works through any of your hardware, firewalls, IDS
> systems, NAT systems your upstream providers,  their providers, the sites
> provider etc. There is a LOT of hardware and software involved. Any one of
> which could break the requirements Windows LAN auth systems depend on.
>
> The authentication protocols which were designed to work as part of the HTTP
> protocol operate just fine when sent over the Internet. As you saw.

Hi Amos, thanks for your reply. I now have the impression that even if I manage
to make it work, it would not be as reliable as it should be, and in
case I'd face
problems in the future, troubleshooting would be a nightmare. That considered,
I think investing more time in this is probably worthless.

Thanks for the clarification, Javier

>
> Amos
Received on Mon Jan 16 2012 - 08:34:40 MST

This archive was generated by hypermail 2.2.0 : Mon Jan 16 2012 - 12:00:03 MST