Re: [squid-users] R: [squid-users] I: Problem with some website and application

On 8/09/2012 12:56 a.m., Job wrote:
> Hello Amos!
>
> Excuse me but i loose your reply! :)
>
> i work with explicited proxy WITH authentication, maybe i was wrong when writing my post.
>
> Can i operate, with Windows 7 and Vista, this workaround in the registry?
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
> LmCompatibilityLevel at value 1.
>
> Do you think it solves the problem?

It will disable NTLM security on those systems. Reducing them to LanMan
security (something like 8-bit encryption, which can be decrypted in
real time) using the "NTLM" tag in HTTP.

> Any other ideas?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
LmCompatibilityLevel

IIRC... value 5 is Kerberos, value 4 is NTLMv2-only with security
extensions. 3 is NTLMv1-v2 only but no extra security extensions. You
could try one of those.

Best of all would be to roll out Kerberos everywhere and leave the new
OS at their preferred settings.

Amos

> Thank you!
> Francesco
>
> ________________________________________
> Da: Amos Jeffries [squid3_at_treenet.co.nz]
> Inviato: domenica 5 agosto 2012 12.39
> A: squid-users_at_squid-cache.org
> Oggetto: Re: [squid-users] I: Problem with some website and application
>
> On 4/08/2012 3:50 a.m., Job wrote:
>> Hello,
>>
>> i use squid since about ten years, i grew up with squid!
>>
>> Actually i have got a big problem, expecially in public administration in Italy, when using NTLM authentication and explicited proxy.
>>
>> Some website and client server application does not work behind explicited authenticated proxy; those are bad written, not w3c, and not well working.
>> I have to create some iptables bypass and working with wpad.
>>
>> Furthermore, some website call other website, so debugging the failed access become very very hard and spend lots of time, and customers says "but at home with home-dsl everything is fine! Why not at office?"
>>
>> It is very frustrating, i think to use only transparent proxy with no authentication scheme.
>>
>> What do you think about?
> If it were possible for you to operate "transparent proxy" without
> authentication, why are you not operating an "explicit proxy" without
> authentication?
>
> Or perhapse you could tell us what the problems you are facing are, what
> systems are involved and what versions of the relative software. Noting
> that Windows Vista and later are designed to work with Kerberos instead
> of NTLM - which is likely the real cause of your problem.
>
> Amos
Received on Sat Sep 08 2012 - 02:29:55 MDT