> Chemolli Francesco (USI) wrote:
>
> > It is a different variation of a problem I had in the
> reverse, when I wanted
> > non-authenticated users to get a 407 instead of 403 (there is an
> > undocumented
> > -DDEFINE_KINKIES_407_HACK in squid-ntlm now to accomodate my needs).
>
> Expand please. The user should get 407 in most events related to
> authentication I think.
Sure.
It is a problem which is related to Internet Explorer and NTLM.
NTLM authentication handshake implies at least 3 HTTP requests, the first 2
getting 407's. Only at the third request Squid gets to know the user's
credentials. If the check fails, without KINKIE_407_HACK, squid will 403.
The problem is that the damned Explorer, upon getting a 403, will NOT
pop up a window and ask for alternate credentials, it will just display the
error page. If the user reloaded the page, it would happen again and
the user would never be allowed to enter alternate credentials.
With Robert's help, we hacked on client_side.c so that it returned 407's
upon failed auth, so that users may get the popup window.
> Reminds me of an old ACL hack I did, changing the semantics of when to
> request user credentials. Instead of having them requested by the
> proxy_auth ACL, I had them requested if the request was denied and a
> proxy_auth ACL had been touched.
That may be an interesting alternate approach.
[no further interesting comments to add, text cut]
-- /kinkieReceived on Thu Jul 05 2001 - 06:10:26 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:05 MST