Re: [squid-users] Re: Squid Auth question for machines not belonging to a AD domain

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Tue, 03 Nov 2009 20:57:37 +0100

tis 2009-11-03 klockan 19:44 +0000 skrev Markus Moeller:

> But how would that work if the guest uses his own machine e.g. Kerberos (no
> ticket available) nor NTLM (no shared machine key available) can be used or
> ? and ISA (or squid) sends Negotiate as the first auth option ?

NTLM works without shared machine key by manual entry of login+password
+domain when needed in the browser settion. Only the proxy needs a
machine key to verify the login (not verified by browser).

Negotiate also works as long as the client station can talk to the KDC
and request a ticket, on the same premises. Maybe the ticket is even
issued via the proxy in such case (not entirely sure).

Neither NTLM or Negotiate strictly requires the user to be logged on to
the domain, it just won't be automatic if he is not.

Regards
Henrik
Received on Tue Nov 03 2009 - 19:57:42 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 04 2009 - 12:00:02 MST