RE: authentication, 407 / 403

From: Chemolli Francesco (USI) <ChemolliF@dont-contact.us>
Date: Thu, 5 Jul 2001 17:52:11 +0200

> > > It is a problem which is related to Internet Explorer and NTLM.
> > > NTLM authentication handshake implies at least 3 HTTP
> requests, the
> first 2
> > > getting 407's. Only at the third request Squid gets to
> know the user's
> > > credentials. If the check fails, without KINKIE_407_HACK,
> squid will
> 403.
>
> If a non-proxy_auth acl check fails.

To me it happened also when a proxy_auth check failed.
Either my tests were broken, or there is some flaw in the code.

my setup:

acl public_sites dstdomain .some.domain
acl users_can_browse proxy_auth "userlist.txt"
acl users_can_ftp proxy_auth "ftplist.txt"
acl proto_ftp url_regex ^ftp://
acl proto_http url_regex ^http://

http_access allow public_sites
http_access allow http users_can_browse
http_access allow ftp users_can_ftp
http_access deny all <-- 403-generating. [1]

[1] Maybe it should be expressed in some other way avoiding the problem
suggestions?

> ie the username isn't allowed to access the site. With NTLM
> IE will not
> allow the user to override the credentials when a 403 is
> returned. You can't
> go "forget the username, I'm a on-site support staff member".
>
> However IE will allow you to manually enter credentials when
> it's given a
> 407.

Which is what I said :)
Received on Thu Jul 05 2001 - 09:46:20 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:05 MST