Re: [squid-users] Squid 3.1.8 and Kerberos authentication

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 22 Feb 2013 10:06:15 +1300

On 22/02/2013 5:06 a.m., Francesco wrote:
> hello,
>
> i am trying Squid kerberos authentication instead of NTLM authentication
> due to resolve compatibility issue with latest version of windows.
>
> Only two things if i can:
>
> 1) in squid.conf, i have to specify windows user with the first capital
> letter. Ex: user = User_at_DOMAIN.
> If i specify user_at_DOMAIN i have no authentication to surf

Case sensitivity has nothing to do with Squid. The user details are part
of the encrypted data transferred directly between your client software
and your authentication system. When users login the authentication
system informs Squid what username just logged in - Squid uses that
label exactly as received.

>
> 2) squid/access.log, in some page, i see a DENIED request and then a
> TCP_MISS with the same page. It seems the browser try to access to a page
> and it is not authenticated by the proxy server. Then the client retries
> and can reach the page. Is it normal?

Yes. This is how authentication works in general. Client connects,
server requests credentials, client repeats with credentials and gets
whetever response is appropriate for that.

If you were using Basic authentication it allows user credentials to be
sent by the browser on brand new requests so that the server challenge
part does not happen.
If you were using persistent connections in HTTP that allows a pipeline
of multiple requests to be sent on one connection with the same
credentials, reducing the connection count and thus the time auth
handshake has to occur.
  ... either one of these may have been happening previously such that
you would see some or most requests "just working" instead of every
single one being prefixed by a DENIED/407 handshake.

Amos
Received on Thu Feb 21 2013 - 21:06:24 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 22 2013 - 12:00:04 MST