[squid-users] Re: Kerberos-authentication and ntlm-fallback with AD-group-membership-checking

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Wed, 7 Jul 2010 22:19:32 +0100

Hi Tom

It should work if squid sends Negotiate and NTLM authentication requests to
the client. IE6 will ignore the Negotiate request and reply to NTLM, whereas
IE7 and IE8 will respond to Negotiate. With NTLM you will get a username
like Netbios-Domain\user in contrast to user_at_Kerberos-Realm. squid_kerb_ldap
can deal with this through the -N option e.g. -N
Netbios-Domain_at_Kerberos-Realm and if you have two domains use -N
Netbios-Domain_at_Kerberos-Realm:Netbios-Domain2_at_Kerberos-Realm2.

Regards
Markus

"Tom Tux" <tomtux80_at_gmail.com> wrote in message
news:AANLkTinrNhqPuwS0h21XYBrqTuRde7dK9ebHKXG9zkm5_at_mail.gmail.com...
> Hi
>
> I'm searching a way to authenticate IE6-clients with ntlm based on
> group-membership and all other clients (IE7, IE8) with kerberos (also
> group-membership-based).
>
> I'm able to authenticate with kerberos AND group-membership
> (squid_kerb_ldap), but the IE6-clients will then prompt for the
> squid_kerb_ldap-authentication. If I leave the squid_kerb_ldap-helper
> away, then all users are able to authenticate without checking the
> group-membership.
>
> How can I achieve to have a proper single-sign-on
> kerberos-authentication (with squid_kerb_ldap) and a
> fallback-ntlm-authentication for the IE6-browser (also with checking
> group-membership) without prompting for username/password?
>
> Thank you.
> Regards
> Tom
>
Received on Wed Jul 07 2010 - 21:19:48 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 09 2010 - 12:00:04 MDT