Re: [SQU] NTLM....and traffic/resources needed from BDC

----- Original Message -----
From: "Yuri Sytema" <Yuri.S@arma.nl>
To: "Craig Fels" <csfels@swbell.net>
Cc: "Squid-Users" <squid-users@ircache.net>
Sent: Friday, November 24, 2000 6:52 PM
Subject: RE: [SQU] NTLM....and traffic/resources needed from BDC

> Hi Craig,
>
> Yep, works perfectly,
>
> Still have to see how we drop back to basic authentication, some users are
> getting their hotmail with outlook express, and in such a case you'll not
> see the username, but the hotmail logon name.

Yes Outlook express is broken with respect to proxy authentication. Even
using Microsoft Proxy Server/IA Server Outlook express won't authenticate. I
put that in the "well it doesn't want to play... thanks MS" basket. Fakeauth
can record the user details, but as you can't run fakauth & NTLMSSP at the
same time it's largely irrelevant.

> It allso seems that when users have to log on to some website, the
logfiles
> contain this logon name instead of the windows logon name, but I've only
> seen this with one user.

Can you generate some logs about this? This may be a bug. Theory says that
cannot happen as the web site prompts for WWW-Authentication, not
Proxy-Authentication.

> All the citrix users use ms outlook, some users get their own web based
> hotmail, so that's no problem.
>
> I'm not so worried about the network traffic as I'm using the fake_auth
> module.
>
>
> -----Oorspronkelijk bericht-----
> Van: Craig Fels [mailto:csfels@swbell.net]
> Verzonden: Thursday, November 23, 2000 5:36 PM
> Aan: Yuri Sytema; Squid-Users; thomas@an-netz.de
> Onderwerp: Re: [SQU] NTLM....and traffic/resources needed from BDC
>
>
> I have squid with NTLM running on a Linux box for testing purposes. Its
> only been up for a couple of days and I only have a couple users
connecting
> through it.
>
> For those of you who have it running in production (no longer just
testing),
> what helper are you using? NTLMSSP? Fake_auth?

Production sites should use NTLMSSP. Fake_auth does not perform
authentication, just username recording. And that can be faked by a broken
MSIE browser.

>
> I'm a little concerned with the extra traffic and work the BDC has to do
> when using NTLMSSP. Have any of you using found anything to worry about?

The extra work should be fairly minimal. About the same as using a MS
network fileshare from a workstation to a non-DC server.

> Yuri, I'm in a similar Environment as you. Citrix Servers and the need
to
> block/allow access for the clients. Looks like Robert and Kinkie have a
> winner here for this environment.
>
> Robert/Kinkie...if no one has said it yet...I personally appreciate the
time
> and work you've put into this much needed addition for Squid. Thanks!

Kinkie was speaking for both of us before :-]

Thanks for the thanks :-] and the feedback.

Rob

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html