RE: [squid-users] Transparent Proxy & ntlm authentication issue

From: Almighty <almighty0_at_gmail.com>
Date: Tue, 4 Oct 2011 15:36:58 +0100

Thanks for that Alex.

I have used wpad in the past but I had to ensure that the browsers had
"Automatically detect settings" ticked. It's for a wireless network so they
are not on our domain. We purely use NTLM for authentication and
verification that they are actually users on our domain. No problems, Im
having a looking at NoCatSplash (catch-and-release) software to see if this
will work.

Thanks again.

-----Original Message-----
From: Alex Crow [mailto:alex_at_nanogherkin.com]
Sent: 03 October 2011 17:57
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] Transparent Proxy & ntlm authentication issue

Almighty,

You can't do transparent and NTLM auth together, as in order to do NTLM
the browser must be configured to know it's using a proxy. Unless, as
your handle suggests, you are indeed omnipotent ;-)

This question and ones like it come up a lot - and there is a simple
solution if you are in control of the environment - block all HTTP/S at
the firewall/default gateway from client machines, do WPAD to send the
clients through the proxy and there you go. That way you can also do
access rules on HTTPS requests (only the domain part unless you use
SSLBUMP).

And if you're in a domain, the NTLM is definitely not set up properly if
the browser is prompting for a password. That's the point of NTLM, you
don't need to put in your creds, they are taken from your Windows domain
session.

Cheers

Alex

On 03/10/11 12:00, Almighty wrote:
> Hi,
>
> I am redirecting my clients to my proxy server transparently using
IPTABLES,
>
>
> -A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports 8080
>
> I am also using ntlm authentication that forces all connections to
> authentication to AD.
> The redirect works fine except squid says "Cache error denied" and never
> prompts me for any authentication.
>
> If I manually specify the proxy server IP under my browser then it prompts
> me for authentication and all is well.
>
> Is there any way I can get squid to prompt me for authentication when I
> redirect through IPTABLES?
>
> Many thanks,
>
Received on Tue Oct 04 2011 - 14:37:08 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 05 2011 - 12:00:02 MDT