RE: [SQU] NTLM....and traffic/resources needed from BDC

From: Yuri Sytema <Yuri.S@dont-contact.us>
Date: Fri, 24 Nov 2000 13:39:35 +0100

Hi,

I only want the username, I do NOT want users to authenticate.
The proxy settings are forced on the browser side, we switched from no proxy
top squid some time ago.

Not even one user noticed we switched :)
Now i even get the usernames without them knowing :)

The only response was that certain sites were 'so damn fast' since we
starten using the proxy.

:)

-----Oorspronkelijk bericht-----
Van: Robert Collins [mailto:robert.collins@itdomain.com.au]
Verzonden: Friday, November 24, 2000 1:39 PM
Aan: Yuri Sytema; Craig Fels
CC: Squid-Users
Onderwerp: Re: [SQU] NTLM....and traffic/resources needed from BDC

----- Original Message -----
From: "Yuri Sytema" <Yuri.S@arma.nl>
To: "Craig Fels" <csfels@swbell.net>
Cc: "Squid-Users" <squid-users@ircache.net>
Sent: Friday, November 24, 2000 6:52 PM
Subject: RE: [SQU] NTLM....and traffic/resources needed from BDC

> Hi Craig,
>
> Yep, works perfectly,
>
> Still have to see how we drop back to basic authentication, some users are
> getting their hotmail with outlook express, and in such a case you'll not
> see the username, but the hotmail logon name.

Yes Outlook express is broken with respect to proxy authentication. Even
using Microsoft Proxy Server/IA Server Outlook express won't authenticate. I
put that in the "well it doesn't want to play... thanks MS" basket. Fakeauth
can record the user details, but as you can't run fakauth & NTLMSSP at the
same time it's largely irrelevant.

> It allso seems that when users have to log on to some website, the
logfiles
> contain this logon name instead of the windows logon name, but I've only
> seen this with one user.

Can you generate some logs about this? This may be a bug. Theory says that
cannot happen as the web site prompts for WWW-Authentication, not
Proxy-Authentication.

> All the citrix users use ms outlook, some users get their own web based
> hotmail, so that's no problem.
>
> I'm not so worried about the network traffic as I'm using the fake_auth
> module.
>
>
> -----Oorspronkelijk bericht-----
> Van: Craig Fels [mailto:csfels@swbell.net]
> Verzonden: Thursday, November 23, 2000 5:36 PM
> Aan: Yuri Sytema; Squid-Users; thomas@an-netz.de
> Onderwerp: Re: [SQU] NTLM....and traffic/resources needed from BDC
>
>
> I have squid with NTLM running on a Linux box for testing purposes. Its
> only been up for a couple of days and I only have a couple users
connecting
> through it.
>
> For those of you who have it running in production (no longer just
testing),
> what helper are you using? NTLMSSP? Fake_auth?

Production sites should use NTLMSSP. Fake_auth does not perform
authentication, just username recording. And that can be faked by a broken
MSIE browser.

>
> I'm a little concerned with the extra traffic and work the BDC has to do
> when using NTLMSSP. Have any of you using found anything to worry about?

The extra work should be fairly minimal. About the same as using a MS
network fileshare from a workstation to a non-DC server.

> Yuri, I'm in a similar Environment as you. Citrix Servers and the need
to
> block/allow access for the clients. Looks like Robert and Kinkie have a
> winner here for this environment.
>
> Robert/Kinkie...if no one has said it yet...I personally appreciate the
time
> and work you've put into this much needed addition for Squid. Thanks!

Kinkie was speaking for both of us before :-]

Thanks for the thanks :-] and the feedback.

Rob

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Fri Nov 24 2000 - 05:41:46 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:35 MST