Re: [squid-users] Squid Auth question for machines not belonging to a AD domain

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 02 Nov 2009 23:42:33 +1300

Markus Moeller wrote:
> Does anybody know how a Windows client determines the right
> authentication mechanism ? I have a case where most clients are on a
> Windows domain and squid_kerb_auth works fine. Now I have clients from
> visitors which have never been on the domain. Can I send to these
> clients a list of authentication mechanisms (e.g. Negotiate Digest
> Basic) ? If so would the client choose always Negotiate with NTLM ?
>
> Thank you
> Markus
>

IIRC it's first-known mechanism from the list of headers received in
line-order.

Depends on the windows API or library the app is built against as to
what is supported. The old API only does Basic or NTLM, the newer IE or
.NET based libraries (I'm ot sure which) seem to do Negotiate as well. I
suspect from the talk of deprecating NTLM that there is probably a new
API in Vista++ which does or will do only Basic + Negotiate.

Digest may fit in there too somehow.

IME, I think sending the correct realm or domain in the NTLM or
Negotiate auth headers may prevent clients attempting auth with a known
mechanism if they are not part of the domain.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
   Current Beta Squid 3.1.0.14
Received on Mon Nov 02 2009 - 10:43:08 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 03 2009 - 12:00:02 MST