Re: [squid-users] HTTP 407 responses

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 16 Feb 2012 10:31:15 +1300

On 16.02.2012 04:33, Mr J Potter wrote:
> Hi Amos,
>
> Thanks for your help on this...
>
> I've had to change tack on this in light of what you have said and
> have now got NTLM authentication working.
>
> - any form of http authentication is going to kick up a login box -
> there is no way round this, right?

No. That is entirely up to the browser. Squid always sends the 407, but
whether that goes through a SSO process or popup is up to the browser.

>
> With , NTLM I am now getting the NTLM login 3 times before it lets me
> in (apparently this is normal)
>

Several 407 *messages* is normal yes. Popups? not so much. You should
only ever see one of those (or not even one).

>
> Can you recommend the best/least bad approach to go for here? I;m
> setting up a guest wireless system, and I just want a way to get (non
> domain) devices to get a chance to login to get an internet
> connection, but all the ways I've found have major flaws.
>
>
> - LDAP basic authentication works fine but is insecure
> - LDAP digest requires a new type of password hash to be set up in my
> directory services
> - NTLM requires 3 login attempts
>
> Or do I move away from http authentication entirely?

You have missed Kerberos. This is an upgrade from NTLM with less of the
handshake messages and somewhat better security encryption. Most systems
support it, but YMMV on a general access system.

Amos
Received on Wed Feb 15 2012 - 21:31:19 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 16 2012 - 12:00:03 MST