Re: [SQU] NTLM Authentication and Frontpage/IIS/Exchange

From the FAQ:
http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.14

The ntlm branch in squid add ntlm authentication to the proxy_auth acl's used by squid. Note that NTLM cannot be proxied (even by
microsoft proxy server).

11.14 How come Squid doesn't work with NTLM Authorization.
We are not sure. We were unable to find any detailed information on NTLM (thanks Microsoft!), but here is a reference.

We quote from the summary at the end of the browser authentication section:

  In summary, Basic authentication does not require an implicit end-to-end state, and can therefore be used through a proxy server.
Windows NT Challenge/Response authentication requires implicit end-to-end state and will not work through a proxy server.

Squid transparently passes the NTLM request and response headers between clients and servers. NTLM relies on a single end-end
connection (possibly with men-in-the-middle, but a single connection every step of the way. This implies that for NTLM
authentication to work at all with proxy caches, the proxy would need to tightly link the client-proxy and proxy-server links, as
well as understand the state of the link at any one time. NTLM through a CONNECT might work, but we as far as we know that hasn't
been implemented by anyone, and it would prevent the pages being cached - removing the value of the proxy.

NTLM authentication is carried entirely inside the HTTP protocol, but is different from Basic authentication in many ways.

  1.. It is dependent on a stateful end-to-end connection which collides with RFC 2616 for proxy-servers to disjoin the client-proxy
and proxy-server connections.
  2.. It is only taking place once per connection, not per request. Once the connection is authenticated then all future requests on
the same connection inherities the authentication. The connection must be reestablished to set up other authentication or
re-identify the user.

The reasons why it is not implemented in Netscape is probably:

  a.. It is very specific for the Windows platform
  b.. It is not defined in any RFC or even internet draft.
  c.. The protocol has several shortcomings, where the most apparent one is that it cannot be proxied.
  d.. There exists an open internet standard which does mostly the same but without the shortcomings or platform dependencies:
digest authentication.

----- Original Message -----
From: "Palmer J.D.F." <J.D.F.Palmer@swansea.ac.uk>
To: <squid-users@ircache.net>
Sent: Friday, December 01, 2000 3:54 AM
Subject: [SQU] NTLM Authentication and Frontpage/IIS/Exchange

> Hello,
>
> I am new to the list and therefore apologise for asking you 'noddy'
> questions, but I'm a bit stuck.
>
> The scenario:
>
> Here at the University of Wales Swansea we are running Squid on Red hat 6.0
> and at present all student web (http) traffic goes through this cache (or
> its backup box). It is my aim to route all staff traffic through this cache
> also, the problem is that several of our web servers and all email servers
> are NT boxes running a combination of Exchange 5.5, IIS 4 or IIS 5.
> We have 2 domains, each having a primary and secondary domain controller.
>
> However if I route through the cache no one can authenticate to the various
> NT servers (to either read email via the web or to publish webs via
> frontpage), I realise that it is possible to use basic authentication but it
> is not really an option here.

You might try Digest or SSL+Basic

>
> So I have built myself a development cache running Suse 7 and Squid
> 2.4-20001129, I have patched this version of squid with the NTLM patch and
> have managed to compile it successfully. But the problem I have is that it
> doesn't seem to make any difference.

Because you are trying to pass NTLM through it, not authenticate to it.

> I have read that a few of you have had success in getting ntlm_auth to work,
> so I was hoping that someone would be able to tell what I'm missing out or
> doing wrong.

Assuming the Microsoft designed their security protocol with an eye to scalable systems is your only mistake :-]

> Do I need to specify the domain controllers somewhere?

To authenticate with NTLM yes. For what you are doing, no. If you want to try the authentication out (just for kicks!). then read
on...

> The configure options that I used were
>
> --enable-ntlm-authentication
> --enable-basic-authentication
> --enable-auth-modules='NCSA NTLM'
> --enable-ntlm-auth-modules="NTLMSSP"
>
> and I uncommented the: # athenticate_program_ntlm
> from the squid.conf file.

The line you uncommented is an example line. IT WILL NOT WORK. You must add in your site specific configuration.

Rob

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html