RE: [squid-users] NTLM Authentication

From: Merton Campbell Crockett <mcc@dont-contact.us>
Date: Fri, 13 Aug 2004 14:54:32 -0700 (PDT)

I did get a response from the webmeister, finally. The web server is
configured to use Microsoft's "integrated authentication mechanism". This
allows either NTLM or Basic authentication schemes to be used.

On a special project several years ago I needed to demonstrate that the
user could authenticate and access data when the path was the following.

   (1) Client browser (laptop)
   (2) Squid proxy server
   (3) Firewall intercept proxy
   (4) Apache surrogate proxy
   (5) Windows 2000 IIS Web server

Normally, the laptop was on the same LAN as the IIS web server and used
NTLM authentication. The above was used when the laptop was deployed.
The only visible difference to the user was the pop-up login window that
was displayed when deployed.

I suspect at the moment, that the problem is that the users don't know how
to enter their user ID correctly. All of them were changed when IT moved
from a Windows NT to an Active Directory domain.

Merton Campbell Crockett

On Fri, 13 Aug 2004, Chris Perreault wrote:

>
> 1) The webserver is asking for a username/password combo that it will
> attempt to match out of the domain's user database. Proxy or otherwise, I'd
> think that data would still be asked for, but realistically, for me I'll
> answer "don't know".
>
> 2) domainname\username
>
> 3) if this content *is* available by not going through the proxy, then you
> could have one of the webserver's pages have links like this:
>
> <a href=actual_server_ip/1st quarter reports-last year>1st qrt</a>
> <a href=proxy.com/1st quarter reports-this year>1st qrt</a>
> <a href=proxy.com/2nd quarter reports-this year>2nd qrt</a>
>
> Chris
>
> -----Original Message-----
> From: Merton Campbell Crockett [mailto:mcc@CATO.GD-AIS.COM]
> Sent: Friday, August 13, 2004 10:05 AM
> To: Squid Users List
> Subject: [squid-users] NTLM Authentication
>
> Background:
>
> (1) Users at one office access an internal web server through a Squid
> proxy server.
> (2) The internal web server is "publicly" accessible except for a set
> of directories containing financial data.
> (3) For an older set of financial reports, there were instructions on
> how to present your authentication credentials indicating the web
> server was configured to use basic authentication, i.e. the user
> ID was given as WINSdomain\username.
> (4) A new set of reports was recently added to the web server but
> cannot be accessed through the Squid proxy.
> (5) The login screen presented to the user looks like the standard
> screen used for basic authentication.
>
> Questions:
>
> (1) When a web server uses NTLM authentication, will a login screen
> be presented when the web site is accessed via a Squid proxy?
> (My recollection from years ago was that the login screen was
> only displayed when basic authentication was enabled?)
> (2) The web server was recently switched from a WindowsNT to an
> Active Directory domain. What is the syntax for a user login
> ID when basic authentication is used?
> (3) Is there a convenient way of specifying to the user that they
> should bypass the proxy for a subset of the web content?
>
> Merton Campbell Crockett
>
>
>

-- 
BEGIN:				vcard
VERSION:			3.0
FN:				Merton Campbell Crockett
ORG:				General Dynamics Advanced Information Systems;
				Intelligence and Exploitation Systems
N:				Crockett;Merton;Campbell
EMAIL;TYPE=internet:		mcc@CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
TEL;TYPE=work,fax:		+1(805)497-5050
TEL;TYPE=cell,voice,msg:	+1(805)377-6762
END:				vcard
Received on Fri Aug 13 2004 - 15:58:49 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:02 MDT