Re: [squid-users] Kerberos auth and users in another AD domain

From: Emmanuel Lacour <>
Date: Thu, 8 Dec 2011 21:14:51 +0100

(sorry for the thread break, I loosed original messages and cannot find
the Message-ID)

Amos, thanks for your hints.

I did some tests to connect to a kerberos enabled squid from a windows
client not within the AD domain:

squid auth setup is:
negotiate squid_kerb_auth
basic (ldap)

As negotiate is proposed and IE support it, it always try to
authenticate with negotiate and so it fails every time.

I tried to invert the auth order, putting basic at first, IE always try
negotiate (when Firefox just use the first one).

With the negotiate,ntlm,basic order, firefox seems to try different
methods, because after three tries of login in, it works.

If I remove negotiate, then I can authenticate using ntlm by specifying
as username DOMAIN\user.

So as I understand, the only way to go is to have two squids:
- one with kerberos for 'domain' users (with ntlm fallback for clients
  not knowing negotiate support, but ntlm and with basic fallback for
  client without negotiate/ntlm support)
- and a second one with only basic auth
Received on Thu Dec 08 2011 - 20:14:57 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 09 2011 - 12:00:03 MST