Re: Windows NTLM authenticator

From: Guido Serassio <>
Date: Mon, 08 Sep 2003 10:25:27 +0200

Hi Robert,

Il 23.31 07/09/2003 Robert Collins ha scritto:

>On Mon, 2003-09-08 at 04:03, Serassio Guido wrote:
>ntlm caching cannot be used with the windows backend, as you aren't
>choosing your challenge - it's being supplied.

My impression was correct.

The helper currently don't allow the reuse of a challenge with a sort of
two state architecture:

YR => TT with a challenge generated from a fake negotiate packet
KK => AF or NA
and again
YR => TT
KK => AF or NA

if a KK is got with an already used challenge, a BH is generated.

It seems that in Squid there is a problem:
I'm using auth_param ntlm max_challenge_reuses 0, but sometimes I get a KK
without a YR, the helper sends a BH to squid and Internet Explorer pop-ups
for authentication.

>Kinkie has a patch in development to supply the negotiate to the helper,
>and force the squid.conf settings to a compatible level.. will try to
>find time to review it, so we can move it along.

Very interesting, the helper is ready for the real NEGOTIATE packet.



Serassio Guido
Via Albenga, 11/4 10134 - Torino - ITALY
Received on Mon Sep 08 2003 - 03:11:28 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:20:40 MST