On 30/06/2012 11:36 p.m., Navas wrote:
> Hi,
>
> I have setup squid authentication with Kerberos to the 2003 Active
> Directory. I could test it successfully to all browsers but failed in IE6.
> So I used following squid.conf to get NTLM auth for IE6
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> #auth_param negotiate program /usr/sbin/squid_kerb_auth -d
> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm
> /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
> --domain=SYSNET.LOCAL --kerberos /usr/sbin/squid_kerb_auth -d -s
> GSS_C_NO_NAME
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
>
> ### pure ntlm authentication
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=SYSNET.LOCAL
> auth_param ntlm children 10
> auth_param ntlm keep_alive off
> acl auth proxy_auth REQUIRED
>
> But the question is it need separate configuration as in ### pure ntlm
> authentication for specifically for NTLM?
> Is it never work with first entries only which supposed to be worked with
> both NTLM and Kerberos ?
Yes it needs to be a seprate configuration for IE6 and older software
which only supports "pure" NTLM.
The newer software will know that NTLM can be reponded using
Negotiate/NTLM. But then you would not have had problems with negotiate
to start with if they were doing that properly.
Amos
Received on Sun Jul 01 2012 - 08:42:21 MDT
This archive was generated by hypermail 2.2.0 : Sun Jul 01 2012 - 12:00:03 MDT