Did you try my negotiate wrapper ? It is part of squid 3.2, but right now
only works with 3.1 ( I have an open bug for 3.2)
Markus
"Emmanuel Lacour" <elacour_at_easter-eggs.com> wrote in message
news:20111209110446.GC11412_at_easter-eggs.com...
> On Thu, Dec 08, 2011 at 09:14:51PM +0100, Emmanuel Lacour wrote:
>>
>>
>> As negotiate is proposed and IE support it, it always try to
>> authenticate with negotiate and so it fails every time.
>>
>
> this is by design since XP SP2:
>
> http://support.microsoft.com/kb/891559
>
> I did not found any workaround.
>
> here is a setup that I tested, which allow evry kind of auth, exept from
> an IE client not in the AD domain:
>
> auth_param negotiate program /usr/lib/squid3/negotiate_kerb_auth -d -s
> GSS_C_NO_NAME
> auth_param negotiate children 5
> auth_param negotiate keep_alive off
>
> auth_param ntlm program
> /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=TEST
> auth_param ntlm children 5
> auth_param ntlm keep_alive off
>
> auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b
> "dc=test,dc=local" -D "cn=Administrator,cn=Users,dc=test,dc=local" -w
> "xxxxx" -f sAMAccountName=%s -h win-hlbivo4bbdl.test.local -d
> auth_param basic casesensitive off
> auth_param basic children 5
> auth_param basic realm Proxy TEST
>
>
>
> NB: setting a default domain for ntlm allow users to just use the login,
> without domain\ before
> NB: keep_alive off, as written in the docs helps at least FF to not
> prompt multiple time for auth
>
>
Received on Fri Dec 09 2011 - 18:31:39 MST
This archive was generated by hypermail 2.2.0 : Sat Dec 10 2011 - 12:00:02 MST