Re: [squid-users] Negotiate problem 'BH received type 1 NTLM token' from Malte Schröder on 2008-06-19 (squid-users)

From: Malte Schröder <maltesch_at_gmx.de>
Date: Thu, 19 Jun 2008 08:37:37 +0200

On Wed, 18 Jun 2008 21:54:19 +0200
Henrik Nordstrom <henrik_at_henriknordstrom.net> wrote:

> On ons, 2008-06-18 at 13:55 +0200, Malte Schröder wrote:
>
> > 2008/06/18 13:42:16| authenticateNegotiateHandleReply: Error validating user
> > via Negotiate. Error returned 'BH received type 1 NTLM token'
> >
> > Negotiate is configured like this:
> > auth_param negotiate program /usr/lib/squid/squid_kerb_auth -i
> > auth_param negotiate keep_alive on
>
> squid_kerb_auth only support Kerberos, but it looks like that your
> client for some reason attempted to use NTLM.
>
> Negotiate is a generic wrapper for WIndows SSP exchanges, and can wrap
> both Kerberos and NTLM, and possibly other Windows authentication
> methods as well..

Would it be possible to make a client fall back to NTLM if we see that
it doesn't do "proper" Negotiate? Maybe by not announcing Negotiate to
a certain client based on User-Agent or IP?

application/pgp-signature attachment: signature.asc

Received on Thu Jun 19 2008 - 06:37:47 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 19 2008 - 12:00:05 MDT