[squid-users] Re: Squid Auth question for machines not belonging to a AD domain

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Tue, 3 Nov 2009 13:21:41 -0000

"Henrik Nordstrom" <henrik_at_henriknordstrom.net> wrote in message
news:1257212761.2980.2.camel_at_localhost.localdomain...
> mån 2009-11-02 klockan 23:42 +1300 skrev Amos Jeffries:
>
>> IME, I think sending the correct realm or domain in the NTLM or
>> Negotiate auth headers may prevent clients attempting auth with a known
>> mechanism if they are not part of the domain.
>
> If Microsoft had thought about using the required realm parameter in
> their NTLM and Negotiate over HTTP schemes maybe, but as it is now those
> two "smells like HTTP auth but is not" authentication schemes do not
> support realms and will probably never do.
>

I tested with Firefox and IE 8 and it looks like that when squid returns a
list like Negotiate Digest Firefox will try Negotiate with NTLM and when
this fails tries Digest and stays with Digest when successful. IE 8 just
tries Negotiate with NTLM. So IE 8 will never be able to authenticate non
domain machines or is there a way to verify a NTLM password from a
standalone machine ?

Does anybody know how MS intends to deal with this (e.g. guests in a company
network) in a MS only environment with ISA proxy ?

Thank you
Markus

> Regards
> Henrik
>
>
>
>
Received on Tue Nov 03 2009 - 13:24:34 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 04 2009 - 12:00:02 MST