[squid-users] Re: Re: Squid Auth question for machines not belonging to a AD domain

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Tue, 3 Nov 2009 21:51:09 -0000

"Henrik Nordstrom" <henrik_at_henriknordstrom.net> wrote in message
news:1257278257.20561.5.camel_at_localhost.localdomain...
> tis 2009-11-03 klockan 19:44 +0000 skrev Markus Moeller:
>
>> But how would that work if the guest uses his own machine e.g. Kerberos
>> (no
>> ticket available) nor NTLM (no shared machine key available) can be used
>> or
>> ? and ISA (or squid) sends Negotiate as the first auth option ?
>
> NTLM works without shared machine key by manual entry of login+password
> +domain when needed in the browser settion. Only the proxy needs a
> machine key to verify the login (not verified by browser).
>

Sorry, but it isn't clear to me. So basically the proxy can not verify the
password as the proxy will never have the machine key to verify the login ?

> Negotiate also works as long as the client station can talk to the KDC
> and request a ticket, on the same premises. Maybe the ticket is even
> issued via the proxy in such case (not entirely sure).
>

Ok this might work. The client should in theory be able to ask for a kdc
through SRV records and authenticate the user and get a TGS.

> Neither NTLM or Negotiate strictly requires the user to be logged on to
> the domain, it just won't be automatic if he is not.
>
> Regards
> Henrik
>
>
>
Received on Tue Nov 03 2009 - 21:51:53 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 04 2009 - 12:00:03 MST