This is a little early to go up, but I thought I'd write up the change now so it's out of the way.
11.14 Squid an NTLM Authentication.
From Squid 2.5 squid comes with support for Microsoft NTLM authentication. There are limits on our support: We cannot proxy
connections to a origin server that use NTLM authentication, but we can act as a web accelerator or proxy server and authenticate
the client connection using NTLM.
We support NT4, Samba, and Windows 2000 Domain Controllers. For more information get squid 2.5 and run ./configure --help.
Why we cannot proxy NTLM even though we can use it.
Quoting from summary at the end of the browser authentication section in
http://support.microsoft.com/support/kb/articles/Q198/1/16.ASP
In summary, Basic authentication does not require an implicit end-to-end state, and can therefore be used through a proxy server.
Windows NT Challenge/Response authentication requires implicit end-to-end state and will not work through a proxy server.
Squid transparently passes the NTLM request and response headers between clients and servers. NTLM relies on a single end-end
connection (possibly with men-in-the-middle, but a single connection every step of the way. This implies that for NTLM
authentication to work at all with proxy caches, the proxy would need to tightly link the client-proxy and proxy-server links, as
well as understand the state of the link at any one time. NTLM through a CONNECT might work, but we as far as we know that hasn't
been implemented by anyone, and it would prevent the pages being cached - removing the value of the proxy.
NTLM authentication is carried entirely inside the HTTP protocol, but is different from Basic authentication in many ways.
It is dependent on a stateful end-to-end connection which collides with RFC 2616 for proxy-servers to disjoin the client-proxy and
proxy-server connections.
It is only taking place once per connection, not per request. Once the connection is authenticated then all future requests on the
same connection inherities the authentication. The connection must be reestablished to set up other authentication or re-identify
the user.
The reasons why it is not implemented in Netscape is probably:
It is very specific for the Windows platform
It is not defined in any RFC or even internet draft.
The protocol has several shortcomings, where the most apparent one is that it cannot be proxied.
There exists an open internet standard which does mostly the same but without the shortcomings or platform dependencies: digest
authentication(link these two words to ftp://ftp.isi.edu/in-notes/rfc2617.txt) .
Received on Wed Jan 10 2001 - 16:32:15 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:16 MST