Re: Windows NTLM authenticator

From: Serassio Guido <>
Date: Mon, 08 Sep 2003 10:28:48 +0200

Hi Robert,

Il 23.31 07/09/2003 Robert Collins ha scritto:

>On Mon, 2003-09-08 at 04:03, Serassio Guido wrote:
>ntlm caching cannot be used with the windows backend, as you aren't
>choosing your challenge - it's being supplied.

My impression was correct.

The helper currently don't allow the reuse of a challenge with a sort of
two state architecture:

YR => TT with a challenge generated from a fake negotiate packet
KK => AF or NA
and again
YR => TT
KK => AF or NA

if a KK is got with an already used challenge, a BH is generated.

It seems that in Squid there is a problem:
I'm using auth_param ntlm max_challenge_reuses 0, but sometimes I get a KK
without a YR, the helper sends a BH to squid and Internet Explorer pop-ups
for authentication.

>Kinkie has a patch in development to supply the negotiate to the helper,
>and force the squid.conf settings to a compatible level.. will try to
>find time to review it, so we can move it along.

Very interesting, the helper is ready for the real NEGOTIATE packet.



Guido Serassio
Acme Consulting S.r.l.
Via Gorizia, 69 10136 - Torino - ITALY
Tel. : +39.011.3249426 Fax. : +39.011.3293665
Received on Mon Sep 08 2003 - 02:28:54 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:20:40 MST