Hi Robert,
Il 22.38 06/12/2002 Robert Collins ha scritto:
>On Sat, 2002-12-07 at 08:27, Jakob Curdes wrote:
> > If we have a domain without ntlm-enabled controllers, is there or will
> there
> > be in foreseeable future a method to authenticate without username and
> > password, as it was with ntlm ? In a message form H.N. I think there was a
> > note about development in this direction, but it was not clear what status
> > this thing has.
> >
> > (I know that I can run an NTLM-enabled PDC in native mode, but it might be
> > that this is not possible because of "policy"...)
>
>Well, if NTLM is off, then it's kerberos authentication that is needed.
>To do that we need a couple of things:
>1) To implement the MS-GSAPI kerberos over HTTP specification in general
>2) To implement a helper that talks with AD, probably this would use
>SAMBA again.
I have just read this on MSDN [Q321728]:
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Internet Explorer version 6 for Windows XP
- Microsoft Internet Explorer version 6 for Windows 2000
- Microsoft Internet Explorer versions 5.01, 5.01 Service Pack 1, 5.01
Service Pack 2, 5.5, 5.5 Service Pack 1, 5.5 Service Pack 2 for Windows 2000
- Microsoft Internet Security and Acceleration Server 2000
-------------------------------------------------------------------------------
SYMPTOMS
========
You cannot use Kerberos to authenticate with a proxy server (for example,
Internet Security and Acceleration Server 2000) in Internet Explorer.
CAUSE
=====
This behavior occurs because Internet Explorer does not support Kerberos
authentication with a proxy, and does not respond to a negotiate challenge from
a proxy server.
STATUS
======
This behavior is by design.
MORE INFORMATION
================
If Integrated Windows Authentication is turned on in Internet Explorer for
Windows 2000 and Windows XP, you can complete Kerberos authentication with Web
servers either directly or through a proxy server. However, Internet Explorer
cannot use Kerberos to authenticate with the proxy server itself.
NOTE: If Integrated Windows Authentication is turned on, Internet Explorer for
Windows 2000 and Windows XP responds to a negotiate challenge and supports
Kerberos authentication with Web servers. However, Internet Explorer for
Windows
98, Windows 98 Second Edition, Windows Millennium Edition (Me), and Windows NT
4.0 cannot be configured to respond to a negotiate challenge. These versions of
Internet Explorer default to NTLM (or Windows NT Challenge/Response)
authentication even if the Enable Integrated Windows Authentication (requires
restart) check box is selected because this feature is not available on these
operating systems.
No comments .....
Regards
Guido
>It will probably happen eventually, when a developer needs to scratch
>this itch. Alternatively, if you need it soon, you could commission
>someone (anyone with the requisite) to develop it for you. We'd happily
>help such a person contribute the results back into squid. Some of the
>squid developers do such contracted enhancements, send an email to
>squid-dev@squid-cache.org if you want more information.
>
>Rob
>
-
=======================================================
Serassio Guido
Via Albenga, 11/4 10134 - Torino - ITALY
E-mail: guido.serassio@serassio.it
WWW: http://www.serassio.it
Received on Fri Dec 06 2002 - 16:03:11 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:53 MST