Re: [squid-users] Fw: Windows Integrated Authentication - is this a solution?

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 2 Mar 2003 10:28:48 +0100

Doing what you describe works as a bandaid provided you also disable
the pipelined request prefetching.. Your change makes it very likely
that the same server connection will be reused for the duration of
the client connection, and very unlikely the server connection will
ever be used for another client connection, almost providing
end-to-end HTTP state.

To be done proberly a tighter relation between the client and server
connection is required when detecting NTLM or NEGOTIATE authenticate
"packets" from the client in the HTTP request headers, forcing Squid
to use the same server connection for all requests in the duration of
the client connection.

You are welcome to join squid-dev to discuss this in more detail if
you like.
<url:http://www.squid-cache.org/mailing-lists.html#squid-dev>

Regards
Henrik

On Sunday 02 March 2003 04.49, Gary Price \(ICT\) wrote:
> I wanted to be able to transparently proxy Windows Integrated
> Authentication. I made a small change to squid that seems to let it
> work. I altered the hash key used for the persistent server
> connection list so it includes the IP and port of the client, as
> well as the host name and port of the origin server. So when a
> lookup is done for an idle file descriptor to use to connect to an
> origin server, only a FD that has previously been used for a
> connection from the same client port will be used. Before I made
> this change, in my test setup using IIS with Integrated Windows
> Authentication, I was getting multiple popups while trying to use
> Outlook Web Access and also my test web server. After making the
> change, I got only one popup per session as hoped.
>
> I don't understand why this seems to work, as the documentation,
> including from Microsoft says that the authentication method
> requires end-to-end HTTP state, and this change is not sufficient
> to guarantee that. Perhaps others could try this and report on what
> they find. Contact me directly for the source code I used.
>
> Gary Price
> Intelligent Compression Technologies
Received on Sun Mar 02 2003 - 02:26:52 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:53 MST