(sorry for the thread break, I loosed original messages and cannot find
the Message-ID)
Amos, thanks for your hints.
I did some tests to connect to a kerberos enabled squid from a windows
client not within the AD domain:
squid auth setup is:
negotiate squid_kerb_auth
ntlm
basic (ldap)
As negotiate is proposed and IE support it, it always try to
authenticate with negotiate and so it fails every time.
I tried to invert the auth order, putting basic at first, IE always try
negotiate (when Firefox just use the first one).
With the negotiate,ntlm,basic order, firefox seems to try different
methods, because after three tries of login in, it works.
If I remove negotiate, then I can authenticate using ntlm by specifying
as username DOMAIN\user.
So as I understand, the only way to go is to have two squids:
- one with kerberos for 'domain' users (with ntlm fallback for clients
not knowing negotiate support, but ntlm and with basic fallback for
client without negotiate/ntlm support)
- and a second one with only basic auth
Received on Thu Dec 08 2011 - 20:14:57 MST
This archive was generated by hypermail 2.2.0 : Fri Dec 09 2011 - 12:00:03 MST