Fwd: [squid-users] Eliminate PopUP authentication for web Windows Users from Carlos Daniel Perez on 2013-03-22 (squid-users)

From: Carlos Daniel Perez <krlosdaniel21_at_gmail.com>
Date: Fri, 22 Mar 2013 05:59:55 -0430

Squid Version 3.1.19
Web Browser IE and Firefox

On 22/03/2013 11:18 a.m., Leonardo Rodrigues wrote:
>
>
> basic authentication type will always prompt for username/password, there's nothing wrong with it and no way to avoid it nor 'fix' it as there's nothing wrong at all
>

Not true. There is no more or less reason for Basic auth scheme to
cause a popup than any other. If the browser is able to find
credentials that will work against the proxy it can send them without
a popup asking for others. This is true for *all* authentication
types. How the browser gets credentials is all well outside the scope
of Squid interaction. User popup is one potential source of
credentials amongst many.

> if your users are authenticated in your domain and you want squid do 'automagically' use those credentials for web surfing, then you'll have to change your authentication type to ntlm or digest or negotiate.
>
> i have LOTS of squid boxes authenticanting on ADs using ntlm authentication type. It's a lot more complicated to configure than basic type but, once configured, it works just fine and simply.

On the other hand NTLM is officially deprecated more than 10 years ago
and officially removed from the last several generations of MS
products. Carlos, if you don't already know and use NTLM try to go
straight to Kerberos with the Negotiate auth scheme.

> Em 21/03/13 18:45, Carlos Daniel Perez escreveu:
>>
>> Hi,
>>
>> I have a Squid server configured to make querys in one ActiveDirectory
>> server trough squid_ldap_group. The query it's OK and authenticated users
>> can surf the web. But, my users need to put their users and password when
>> open a browser.
>>
>> [ ... ]
>> My squid_ldap_auth line is: auth_param basic program
>> /usr/lib/squid3/squid_ldap_auth -R -d -b dc=enterprise,dc=com -D
>> cn=support,cn=Users,dc=enterprise,dc=com -w 12345 -f sAMAccountName=%s
>> -h
>> 192.168.2.1
>
>

What traffic is going through? I think that helper does not strip the
Windows realm off the username if the browser is sending the NTLM
credentials across Basic scheme.

What version of Squid are you using (looks old if it still contains
binary named squid_ldap_auth). Some of the 3.x don't support NTLM
credentials well.

What browser is the problem showing up with? browser other than IE
have a hard time locating the Windows login credentials to use SSO.

Amos
Received on Fri Mar 22 2013 - 10:30:12 MDT

This archive was generated by hypermail 2.2.0 : Fri Mar 22 2013 - 12:00:05 MDT