[squid-users] NTLM auth, IE and reverse proxy.

Hi List,

I have recently set up a Squid as a reverse proxy, allowing internet
clients to check their Lotus Notes accounts, using iNotes. Everyhting
I wanted the to authenticate off the domain, to actually use the proxy,
before seeing the iNotes logon page.

This is currently working well for every browser bar, IE. other
browsers, such as Opera or Mozilla, seem to be presented with what looks
like a basic authentication logon. I can also see the Realm that I set
in auth_param in squid.conf. Whenever I enter a valid set of NT
credentials, it authenticates me and shows me the iNotes logon page. I
can also see the authenticated user in access.log.

IE is different, it presents me with the NTLM three firlds, including
Domain. Whenever I use a set of valid creditials for the domain, its
gives me a Cache Access Denied. I have played with various options in
'Security' in IE, but with no luck.

Is there a way I can force IE to use the basic authentication that the
other clients can use so easily? iNotes *really* needs MS IE 6, so this
is important. I am aware that the order of auth_param tags, and feel
they are in the same order. Squid was also built with --enable-auth="

My squid.conf below:

- - SNIP - -
http_port 80
auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/local/squid/libexec/wb_auth
auth_param basic children 5
auth_param basic realm Lotus iNotes Secure Proxy
auth_param basic credentialsttl 2 hours
## define our ACL's. Safe ports, cache manager and authenticated users
acl all src 0.0.0.0/0.0.0.0
[...]
acl password proxy_auth REQUIRED
#acl our_networks src 192.168.1.0/24
# map acl with access.
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow all password
#http_access allow our_networks
[...]
httpd_accel_port 80
httpd_accel_host 192.168.1.3 # Notes IP
httpd_accel_single_host on # Only one backend.
httpd_accel_uses_host_header on
- - SNIP - -

Any info or thoughts grealty appriciated. Cheers,

Andrew

--
andrew (at) mongers (dot) org