RE: NTLM question from Mihhail Meskov on 2001-08-21 (squid-dev)

From: Mihhail Meskov <mihhail.meskov@dont-contact.us>
Date: Tue, 21 Aug 2001 09:57:35 +0200

Mihhail Meskov
System Integarator
Hansabank
15040 Liivalaia 8
Tallinn, Estonia
Tel: +372 (0)6133617
Mobile: +372 (0)5090784
Fax: +372 (0)6131990
Email: mihhail.meskov@hansa.ee
Web: http://www.hansa.ee

> -----Original Message-----
> From: Chemolli Francesco (USI) [mailto:ChemolliF@GruppoCredit.it]
> Sent: Monday, August 20, 2001 3:57 PM
> To: 'Henrik Nordstrom'; Mihhail Meskov
> Cc: Squid Developers Mailinglist
> Subject: RE: NTLM question
>
>
> > Squid cannot proxy NTLM authentication becasuse Microsft NTLM
> > authentication
> > does not follow HTTP specifications on persistent connection
> > management and
> > authentictaion.
> >
> > HTTP specifies that persistent connections are managed
> > intependently beteen
> > client<->proxy and proxy<->server to allow efficient
> sharing of server
> > connections. Further, authentication is to take place per
> > message, not per
> > connection.
> >
> > NTLM authentication requires unique persistent
> > client<->server connections with
> > absolutely no sharing of the server connection between
> > multiple clients.
>
> It is worth noticing that recent version of MS Internet Explorer
> WILL NOT EVEN ATTEMPT to perform NTLM authentication if a proxy
> is in use to reach the destination host.

As to my mind, it is because of "401" response. In case of "407" all the IE
4+ start NTLM negotiation.
So, if destination server offers the NTLM along with other schemes, Squid
should change 401 to 407 and "WWW-Authenticate: NTLM" header line to
"Proxy-Authenticate: NTLM". Also, Squid should change hostname of the client
to the name of it's own host in each NTLM message send by a client in
"Proxy-Authorization: NTLM .." with eliminating "Proxy-" from this header's
name before forwarding this client's reply to the destination (MS) server.

I'am not Squid developer, not even hacker. I've just discovered a lot how
NTLM works because of a project I am involved in. And, IMHO, if Basic
Authorization could be passed through proxy, why NTLM shouldn't ? Of course,
you may say that MS violates the HTTP standard with NTLM, but this scheme
works and is in use and becomes popular.

Mihhail
Received on Tue Aug 21 2001 - 05:27:12 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:14 MST