On Sat, 11 Sep 2004, Jacobi Michael CRPH wrote:
One question - I have another set of users that also access this web site, through anohter network that uses a dirrent proxy setup (I don't know the gory details, but I think it is Microsoft ISA). All of this stuff works correctly for them. Microsoft ISA doesn't proxy this?
A few possible cenarios:
a) This ISA is not acting as a HTTP proxy for reaching these server, just firewall.
b) They access it using https, not http.
c) It just looks like it works, sometimes, but in fact there is a total mess of who is who (once authenticated, any user may get the authenticated users credentials by just accessing the site via the proxy).
b) The server is sufficiently new and has support for the very Microsoft specific hacks Microsoft has added to deal with proxying of "Microsoft Integrated Login" and this is supported by the ISA version used there.
Squid does not support the above mentioned "HTTP extensions" as the whole scheme they use still violates fundamental aspects of HTTP connection management, and even Microsoft states openly that NTLM is not suitable for Internet authentication due to the security implications on the local domain. The difference is that now it is documented how they violate the HTTP specs and that current MSIE browsers knows NTLM violates the specs.
Regards Henrik
