RE: NTLM question

From: Chemolli Francesco (USI) <ChemolliF@dont-contact.us>
Date: Tue, 21 Aug 2001 10:37:15 +0200

> > > Squid cannot proxy NTLM authentication becasuse Microsft NTLM
> > > authentication
> > > does not follow HTTP specifications on persistent connection
> > > management and
> > > authentictaion.
> > >
> > > HTTP specifies that persistent connections are managed
> > > intependently beteen
> > > client<->proxy and proxy<->server to allow efficient
> > sharing of server
> > > connections. Further, authentication is to take place per
> > > message, not per
> > > connection.
> > >
> > > NTLM authentication requires unique persistent
> > > client<->server connections with
> > > absolutely no sharing of the server connection between
> > > multiple clients.
> >
> > It is worth noticing that recent version of MS Internet Explorer
> > WILL NOT EVEN ATTEMPT to perform NTLM authentication if a proxy
> > is in use to reach the destination host.
>
> As to my mind, it is because of "401" response. In case of
> "407" all the IE
> 4+ start NTLM negotiation.

Maybe you are right, it's IIS refusing to negotiate.

> So, if destination server offers the NTLM along with other
> schemes, Squid
> should change 401 to 407 and "WWW-Authenticate: NTLM" header line to
> "Proxy-Authenticate: NTLM". Also, Squid should change
> hostname of the client
> to the name of it's own host in each NTLM message send by a client in
> "Proxy-Authorization: NTLM .." with eliminating "Proxy-" from
> this header's
> name before forwarding this client's reply to the destination
> (MS) server.

AARGH!

> I'am not Squid developer, not even hacker. I've just
> discovered a lot how
> NTLM works because of a project I am involved in. And, IMHO, if Basic
> Authorization could be passed through proxy, why NTLM
> shouldn't ? Of course,
> you may say that MS violates the HTTP standard with NTLM, but
> this scheme
> works and is in use and becomes popular.

I contend this. It is popular in MS-only or almost-MS-only enterprises
for intranets because it allows single-sign-on.
Anybody using it over the internet should be beaten to a bloody pulp. For
instance
accessing a site via a transparent proxy (as many ISPs seem to be doing
currently)
would not work.

-- 
	/kinkie 
Received on Tue Aug 21 2001 - 04:13:53 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:14 MST