Re: [squid-users] Apps use NTLM against negotiate but do not fallback to basic if that fails

From: Amos Jeffries <>
Date: Thu, 02 Aug 2012 21:11:00 +1200

On 2/08/2012 8:03 p.m., Stefan Bauer wrote:
> Dear Developers & Users,
> I'm using squid with negotiate and basic-auth as fallback.
> negotiate is squid_kerb_auth and
> basic is squid_ldap_auth
> Both work fine together. I noticed, that some apps responde to negotiate with NTLM - in this case, squid reports:
> 2012/08/01 10:19:14| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
> because it can not deal and should not deal with NTLM only kerberos. I expected to have an automatically fallback to basic in this case but opera does not! Why is that?

You will have to ask Opera that one.

> If i force opera to disable NTLM - it uses basic auth and everybody is happy in my dep.
> Can anyone please provide some deeper informations about that behavior?

All Squid can do is advise the available auth mechanisms and/or that the
credentials given have failed. It's up to the client app to keep track
of what it has available and what is (or not) working.

You could try the negotiate_wrapper Markus wrote. That permits the NTLM
and Kerberos GSSAPI mechanisms to both be negotiated via Negotiate auth.

Received on Thu Aug 02 2012 - 09:11:20 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 02 2012 - 12:00:02 MDT