Re: NTLM question

Squid cannot proxy NTLM authentication becasuse Microsft NTLM authentication
does not follow HTTP specifications on persistent connection management and
authentictaion.

HTTP specifies that persistent connections are managed intependently beteen
client<->proxy and proxy<->server to allow efficient sharing of server
connections. Further, authentication is to take place per message, not per
connection.

NTLM authentication requires unique persistent client<->server connections with
absolutely no sharing of the server connection between multiple clients.

--
Henrik Nordstrom
Squid Hacker


Mihhail Meskov wrote:

> Hello Henrik,
>
> excuse me, please for distortion. But I need Your advice very-very much.
> May I ask you the following question: can I
> configure/rebuild_with_some_patch Squid to make it transaparent to NTLM ?
> Below I'll try to explain what I mean.
> We have the following chain: MS web server that uses NTLM -- our proxy
> server -- Squid 2.4 -- clients with IE.
> Our proxy server (written in java) is a parent for Squid (registered as
> cache_peer .. no-query in squid.conf) and it is really transparent for MS
> web server and clients communication.
> The only thing it does is some HTTP headers' values changing.
> Often it happens that Squid occasionally brokes the NTLM negotiation on a
> second phase (when connection must be keep-alive it issues some other
> request to this connection, while MS web server waits for correct NTLM type
> 3 response from client on this connection). As I understand, it happens
> because Squid doesn't know that he can't use this connection for other
> requests sending while NTLM negotiation is not finished.
> Is there a way to make Squid more 'smarter' in case of NTLM and let client
> and server finish with NTLM negotiation and only after that use this
> connection ?
> I've read some articles about Squid and NTLM
> (http://squid.sourceforge.net/ntlm/). There, as I've understood, the matter
> concerns the situation when Squid requires NTLM authentication itself. But
> this is not what I need.
>
> Microsoft always says that NTLM negotiation CANNOT be done over proxy. As my
> expirience shows, it CAN BE DONE only if proxy can Base64-decode request
> Authorization header's value and change the client's host name to its own
> host name in this message. This is what our java proxy server does, and it
> works ! But, may be Microsoft meant that proxy servers usually manage the
> connections and it may really happen that it uses the connections with not
> finished NTLM negotiation rfor some other requests forwarding. So, is it
> posiible to teach Squid not to do so in case of NTLM ?
>
> Thank You in advance,
> Mihhail Meskov
> System Integarator
> Hansabank
> 15040 Liivalaia 8
> Tallinn, Estonia
> Tel: +372 (0)6133617
> Mobile: +372 (0)5090784
> Fax: +372 (0)6131990
> Email: mihhail.meskov@hansa.ee
> Web: http://www.hansa.ee
Received on Thu Aug 16 2001 - 07:04:21 MDT