Re: [SQU] Disable authentication Realm, No Authprompts with MS-Proxy Explorer from Robert Collins on 2000-10-15 (squid-users)

From: Robert Collins <robert.collins@dont-contact.us>
Date: Mon, 16 Oct 2000 08:13:03 +1100

MS Proxy (and IIS) come with a proprietary authentication method 'NTLM'. IE
will automatically use the users cached MS network password hash to
authenticate using NTLM to local servers (including proxies). All win32
versions of IE from 3.02 and above support this.

This is significantly different from the 'remember password' button which
sends the password over the network as clear text, allowing any machine to
capture the password.

Squid is just finishing the development of a version that implements this
protocol. Everything _seems_ to be working, and if you look in the mail logs
for this mailing list you will see some notes and instructions on
configuring it.

I presume you used Netscape 4.x for your testing? Netscape 4.x doesn't
support NTLM authentication. The realm is irrelevant for the purposes of
auto-login. Any server could fake the realm, so it cannot be trusted to be a
particular server.

HTH,
Rob

----- Original Message -----
From: "Dr. Michael Weller" <eowmob@exp-math.uni-essen.de>
To: <squid-users@ircache.net>
Sent: Monday, October 16, 2000 2:01 AM
Subject: [SQU] Disable authentication Realm, No Authprompts with MS-Proxy
Explorer

> Dear Users & Developers,
>
> I'm new to squid and some of our customers have/want to switch from
> MS-Proxy to Squid. Alas, MS-Proxy comes with a special version of Internet
> Explorer that automatically authenticates to the proxy with the Windows
> account (not prompting for password). Now, those impaired people do not
> like being prompted for the password at all (but want user based access).
>
> >From my experiments with Netscape it *seems* that MS-Proxy does
> not provide an authentication realm and the MS-Proxy specific Explorer
> just sends the login password in this case. I would need to check with a
> packet sniffer though.
>
> So: Is there a way to disable the Realm in Squid? I can set it to
> anything, but not remove it completely. Or is there another way to achive
> that (strangely enough they don't want to use the remember pw option of MS
> (dunno if it would work at all).
>
> Thanx in advance,
> Michael.
>
>
> --
>
> Michael Weller: eowmob@exp-math.uni-essen.de,
eowmob@ms.exp-math.uni-essen.de,
> or even mat42b@spi..power.uni-essen.de. If you encounter an eowmob account
on
> any machine in the net, it's very likely it's me.
>
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html

Received on Sun Oct 15 2000 - 15:11:46 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:45 MST