[squid-users] Re: Re: Re: SSO with Active Directory-Squid Clients

Hi Bilal,

   Regarding your second point about workgroups the answer is that Kerberos
can work too (with popup). But to make it work your DHCP server has to
privode WINS servers (or it has to be hardcoded on the client). When a
client gets the Negotiate request the client will try to find out where the
domain server is for that domain (using the username details e.g. @DOMAIN)
via Netbios name resolution using the configured WINS servers. Once they
are determined the client will send AS and TGS requests to the domain server
and can then authenticate to the proxy.

Regards
Markus

"GIGO ." <gigoz_at_msn.com> wrote in message
news:SNT134-w4D0C3C636780C9186C4A2B9160_at_phx.gbl...

If i select negotiate/Kerberos as authentication protocol for my Squid on
Linux and configure no FallBack Authentication.what would be the consequence
?

1. Isnt it that all of my users who have logged into Active Directory and
where browser is supported will be able to use squid?

2. Only those users who will try to use squid from a workgroup giving their
domain passoword (domainname/userid) will fail as there will be no fallback
aviablable.

3. Is there any other scenario in which these users will not be able to use
squid?

I would be really thankful if you guide me further as i am failing to
understand why a fallback authentication is necessary if it is. What could
be the scenario when windows clients have no valid TGT even if they are
login to the domain? I hope you can understand me and help me to clear my
self.

regards,

Bilal Aslam

----------------------------------------
> To: squid-users_at_squid-cache.org
> From: huaraz_at_moeller.plus.com
> Date: Wed, 7 Apr 2010 20:17:20 +0100
> Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients
>
> Sorry I knew that but forgot to mention that I was talking about the Unix
> version.
>
> Thank you
> Markus
>
> "Guido Serassio" wrote in message
> news:58FD293CE494AF419A59EF7E597FA4E64002FA_at_hermes.acmeconsulting.loc...
> Hi Markus,
>
>> If you have a Windows client and the proxy send WWW-Proxy-Authorize:
>> Negotiate the Windows client will try first to get a Kerberos ticket
> and
>> if that succeeds sends a Negotiate response with a Kerberos token to
> the
>> proxy.
>> If the Windows client fails to get a Kerberos ticket the client will
> send
>> a Negotiate response with a NTLM token to the proxy. Unfortunately
> there> is yet no squid helper which can handle both a
> Negotiate/Kerberos response
>> and a Negotiate/NTLM response (although maybe the samba ntlm helper
> can).> So there is a fallback when you use Negotiate, but it has some
> caveats.
>
> This is not true when Squid is running on Windows: the Windows native
> Negotiate Helper can handle both Negotiate/Kerberos and Negotiate/NTLM
> responses.
>
> Regards
>
>
> Guido Serassio
> Acme Consulting S.r.l.
> Microsoft Gold Certified Partner
> VMware Professional Partner
> Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
> Tel. : +39.011.9530135 Fax. : +39.011.9781115
> Email: guido.serassio_at_acmeconsulting.it
> WWW: http://www.acmeconsulting.it
>
>
_________________________________________________________________
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
Received on Fri Apr 09 2010 - 11:13:17 MDT