Hi,
Guillermo Gomez wrote:
> Mark Elsen wrote:
>
>>> My situation is simple:
>>>
>>> A web site is using NTLM authentication ans ask the user for credentials
>>> (without squid).
>>> Our squid goes out trhough a NAT connection, then when the user tries
>>> with squid configured, and IIS error shows up in the browser saying:
>>>
>>> You are not authorized to view this page
>>>
>>> You do not have permission to view this directory or page using the
>>>
>>> credentials that you supplied because your Web browser is sending a
>>>
>>> WWW-Authenticate header field that the Web server is not configured to
>>>
>>> ....
>>>
>>
>> http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.14
>>
>> Some extracts from this FAQ section :
>>
>> +We cannot proxy connections to a origin server that use NTLM
>> authentication, but we can act as a web accelerator or proxy server
>> and authenticate the client connection using NTLM.
>> ...
>>
>> +The protocol has several shortcomings, where the most apparent one is
>> that it cannot be proxied.
>> ....
>>
>> M.
>>
>>
> :( so basically there's no working solution for proxying this kind of site.
> The only workaround we have is to configure the clients to not proxy
> this site and them configure my nat/firewall to let this GET go through,
> but this solution avoids completely squid controls and push our team to
> configure more than 400 stations.
> Anyone has a better solution ?
Well, the real solution is to get the web host to use a _standard_
method of authentication. There is no standard detailing NTLM and it is
severely broken as you have discovered.
Even Microsoft admit that it should only be used on a corporate network
(i.e. not the Internet)!
You should suggest that they use basic auth over https or digest.
Sorry this isn't more positive but feel free to complain to Microsoft!
ATB,
Neil.
-- Neil Hillard hillardn@whl.co.uk Westland Helicopters Ltd. http://www.whl.co.uk/ Disclaimer: This message does not necessarily reflect the views of Westland Helicopters Ltd.Received on Thu Feb 09 2006 - 08:49:31 MST
This archive was generated by hypermail pre-2.1.9 : Wed Mar 01 2006 - 12:00:03 MST