Re: [squid-users] Automatic Windows user authentication

----- Original Message -----
From: "Van Bossche Koen" <Koen.VanBossche@KONE.com>
To: "'Kalle Andersson'" <kan@gronaverket.se>;
<squid-users@squid-cache.org>
Sent: Wednesday, October 10, 2001 6:20 PM
Subject: RE: [squid-users] Automatic Windows user authentication

> > I'm trying to do the same but I'm failing. Using the
> > configuration below I'm
> > asked to log in to proxy.
> > I'm running Internet Explorer 5 under Windows 2000.
> > PDC and BDC are Windows 2000 servers.

Under windows 2000, NTLM _must_ be enabled, and NetBT must be enabled.
If you have disabled either then NTLMSSP will not work.

> What does your cache.log say? With our proxies I still get it not
fully
> under controle. Most of the time it keeps showing the popup box at the
> beginning of within a session. Check also you authntication log on
your BDC.

Have you seen anything relevant in the DC server log? (feedback is
useful in making NTLM support better).

> I configured also --disable-internal-dns and use the host file for the
BDC
> and PDC. It seems to work a bit better.

The internal dns is orthogonal to squid's ntlm helper - it will not
impact one way or another. The host file for the BDC and PDC will make a
difference if you have any MS network 'issues' at all.

> I use it without the -b parameter (does not seem to make much of a
> difference) and have 'auth_param ntlm max_challenge_reuses 1'

The max_challenge_reuses parameter determines how many repeat
authentications can be sent down a single connection to the DC, so
setting it to 0 is best for a unreliable network.

As for the -b it is a deprecated option - it will always be ignored, and
in future versions will cause the helper to not function. -l combined
with --enable-ntlm-fail-open on your configure line is the only current
way to completely eliminate the popup dialogue boxes - unless you have a
very reliable MS network environment (if such a thing exists :} ).

Rob
Received on Wed Oct 10 2001 - 05:25:27 MDT