On Sunday 02 March 2003 11.01, Gary Price \(ICT\) wrote:
> Hi
> as described in the squid-users list, I have made a change that
> appears to make NTLM auth work. To my surprise in fact. I would
> like to figure out why this actually works. I was planning to go
> further and establish a guaranteed 1-1 connection between client
> and server connections, but it appears not to be necessary.
It is necessary for proper operation. Keeping the server and client
connection detached allows for too many races where things may go
wrong to be acceptable for production use.
Also it is needed to not have a too much negative impact on the
persistent connections cache when NTLM/NEGOTIATE authentication is
not being used. Your change effectively invalidates the server
persisten connection cache and reuse.
Kinkie: at the moment the discussion is mainly about transparent
proxies where the browser is (rightfully) unaware that there is a
proxy inbetween.. but as discussed previously on squid-dev once this
is solved we can by adding MS extension headers make browsers aware
there is proxies knowing about the Microsoft NTLM or NEGOTIATE
authentication hacks and allow them to be used via the proxy even for
normal proxying.
To bring the discussion in some more context, here is the message Gary
wrote on squid-users:
Gary Price wrote on squid-users:
> I wanted to be able to transparently proxy Windows Integrated
> Authentication. I made a small change to squid that seems to let
> it work. I altered the hash key used for the persistent server
> connection list so it includes the IP and port of the client,
> as well as the host name and port of the origin server. So when
> a lookup is done for an idle file descriptor to use to connect
> to an origin server, only a FD that has previously been used
> for a connection from the same client port will be used. Before
> I made this change, in my test setup using IIS with Integrated
> Windows Authentication, I was getting multiple popups while
> trying to use Outlook Web Access and also my test web server.
> After making the change, I got only one popup per session as
> hoped.
>
> I don't understand why this seems to work, as the documentation,
> including from Microsoft says that the authentication method
> requires end-to-end HTTP state, and this change is not sufficient
> to guarantee that. Perhaps others could try this and report on
> what they find. Contact me directly for the source code I used.
>
> Gary Price
> Intelligent Compression Technologies
Regards
Henrik
Received on Sun Mar 02 2003 - 07:12:34 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:23 MST