RE: [squid-users] NTLM authentication on intranet

Henrik,

This is my 'wpad.dat' script I use, the criteria concerning NTLM is within
"(shExpMatch(url,".mkone.com"))" saying to go direct.
This is from my access.log :
1007980145.417 2481 kcod0046.nt.kone.com TCP_MISS/401 3076 GET
http://mkontsidoc.mkone.com/intradoc-cgi/iis_idc_cgi.dll? -
DIRECT/138.249.66.198 text/html

Any ideas or suggestions ?

function FindProxyForURL(url,host) {
                if (isPlainHostName(host))
                        return "DIRECT";
                else if (shExpMatch(url,".kone.com"))
                        return "DIRECT";
                else if (shExpMatch(url,".mkone.com"))
                        return "DIRECT";
                else if (shExpMatch(url,".equant.com"))
                        return "DIRECT";
                if (isInNet(host, "138.249.0.0", "255.255.0.0"))
                        return "DIRECT";
                if (isInNet(host, "192.130.16.0", "255.255.255.0"))
                        return "DIRECT";
                if (isInNet(host, "57.0.0.0", "255.0.0.0"))
                        return "DIRECT";
                else if (shExpMatch(url,"https://"))
                        return "DIRECT";
                else
                        return "PROXY 138.249.118.131:8080;" +
                        "PROXY kcoeuproxy2.nt.kone.com:8080;" +
                        "PROXY kcofiproxy1.kone.com:8080";
        }

> NTLM cannot be proxied, only tunnelled.
How would this actually need to be setup then? Using https, CONNECT method,
...

Many thanks!

BR
./koen

 
> New versions of IE apparently correctly denies the use of
> NTLM when using a
> proxy.
>
> Using NTLM over the Internet is not what NTLM is intended for.
>
> If you are using a PAC script to tell IE that it must go
> direct to your
> intranet sites requiring NTLM, then it should, and should
> agree on performing
> the NTLM authentication. If it does not then there is either
> a bug in your
> PAC script, or in IE.
>
> always_direct in squid.conf has no relation to the
> discussion. Only tells
> Squid how Squid may connect to the servers, and is only of
> relevance when you
> have peer caches/proxies (cache_peer directive).
>
> Regards
> Henrik Nordström
>
> On Monday 10 December 2001 10.10, Van Bossche Koen wrote:
> > Hi all,
> >
> > Is there any solution or possible bypass for this known
> problem to still
> > use squid and have the NTLM 3-line logon on intranet pages
> active? I am
> > using a script to go direct to the intranet and configured
> squid with
> > always_direct for it.
> >
> > Problem :
> > Even with the exlusion list, the proxy still not allows
> NTLM pass-through.
> > Because IE will not even attempt authentication if it sees
> it's going
> > through a proxy.
>
> --
> MARA Systems AB
> Giving you basic free Squid support
> Priority support or Squid enhancements available on request
>
Received on Mon Dec 10 2001 - 04:33:11 MST