Re: [squid-users] Integrated Authentication

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 16 May 2005 14:01:45 +0200 (CEST)

On Tue, 10 May 2005, fryxar wrote:

> - MS ISA 2004 support both (/NTLM and Kerberos) authentication
> protocols

Not sure about the Kerberos part, at leas not when running as a HTTP
proxy. The WINSOCKS proxy part most certainly supports both.

> - Squid support only NTLM authentication protocol

Kerberos (Negotiate scheme) is on the way. See
http://devel.squid-cache.org/. Also dependent on Samba where this is not
quite ready yet.

> - IE 6 support Kerberos authentication protocol, but it doesn't work
> if you are using a workstation with Win9x/Me/NT Operating System.

According to my information IE 6 only supports Kerberos to web servers,
not proxies. There is no obvious reasons to why it should not support
Kerberos authentication to HTTP proxies but all information I have seen
indicates it does not support this.

> So, because Squid only suppport NTLM authentication protocol, I can't
> disable from the proxy the popup authentication to the AD, neither
> disable it if I have in the net workstations with Win9x/Me/NT Operating
> System.

You can't disable either NTLM or Kerberos login popups from the proxy. To
the proxy there is no difference if the user has logged in directly to the
domain, or on demand via the popup. In both cases the user is logged in to
the domain in the eye of the proxy.

If you want to stop this it has to be done by domain policies, making the
client refuse to allow the user to log in using the popup. Not sure if
this is possible.

Regards
Henrik
Received on Mon May 16 2005 - 06:01:51 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Jun 01 2005 - 12:00:02 MDT