Nick, Thank you so much for your support. I am now much confident about Negotiate/Kerberos and have just decided to jump into the real thing (as enough theory). As far as KVNo i have not experienced it yet(as not practically implemented) however i may too in due course and surely will share with you. Rather i will share my whole experience. regards, Bilal
---------------------------------------- > From: [email protected] > To: [email protected]; [email protected]; [email protected] > Date: Thu, 8 Apr 2010 10:17:13 +0100 > Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients > > Bilal, > > I'm working on much the same thing, with added Apple Mac just to complicate > things. My aim is to create an SSO environment for all my Windows, OSX and > nix machines. I want to use Kerberos as my primary authentication as IE7 and > FF onwards are moving that way..but for my situation some browsers or > applications do not support this and I must also use NTLM. However, Opera on > my Macs seems to not like either and prefers Basic.. It's been a struggle to > get each element to work but not impossible. > > I have found that all Negotiate/Kerberos supporting browsers have worked > extremely well with the helper developed by Markus. Many of the > authentication breaking elements have disappeared when compared to my Blue > Coat and ISA experiences. Those machines joined to the domain using browsers > that support Neg/Kerb work seamlessly with Kerberos - FF and IE - and pass > through credentials. Mac Safari relies on NTLM and prompts as such. Mac Opera > prompts for Basic. Therefore if you're just Windows I would answer fairly > confidently that your question 1 answer is Yes. > > Users not on the domain would be prompted for credentials. I haven't tested > this and depending on which helper you are using (Samba or Squids) and > whether you're joined to the domain I believe Negotiate should fall back to > NTLM and work providing you supply a valid domain user/pass! So the answer to > 2 would be 'depends..' :) > > As for the issue of not being to able to use Squid at all and taking into > account what I said earlier, then yes there could be a scenario where Squid > will not work for your users. However, it is less of a problem in just > Windows. It's all about testing your various Windows configurations, apps and > browsers until you are sure you have covered the conceivable setups of all > your users. > Finally, I have been struggling against an issue where my KVNO Keytab > increments in AD and gets out of sync with the exported version making Squid > un-useable until it's regenerated. Have you experienced this? Happy to > discuss any of this off list or on. > > Cheers, > Nick > > > > On 08/04/2010 04:06, "GIGO ." wrote: > > > > If i select negotiate/Kerberos as authentication protocol for my Squid on > Linux and configure no FallBack Authentication.what would be the consequence ? > > > > 1. Isnt it that all of my users who have logged into Active Directory and > where browser is supported will be able to use squid? > > > > 2. Only those users who will try to use squid from a workgroup giving their > domain passoword (domainname/userid) will fail as there will be no fallback > aviablable. > > > > 3. Is there any other scenario in which these users will not be able to use > squid? > > > > I would be really thankful if you guide me further as i am failing to > understand why a fallback authentication is necessary if it is. What could be > the scenario when windows clients have no valid TGT even if they are login to > the domain? I hope you can understand me and help me to clear my self. > > > regards, > > Bilal Aslam > > > > > > > > > > ---------------------------------------- >> To: [email protected] >> From: [email protected] >> Date: Wed, 7 Apr 2010 20:17:20 +0100 >> Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients >> >> Sorry I knew that but forgot to mention that I was talking about the Unix >> version. >> >> Thank you >> Markus >> >> "Guido Serassio" wrote in message >> news:[email protected]... >> Hi Markus, >> >>> If you have a Windows client and the proxy send WWW-Proxy-Authorize: >>> Negotiate the Windows client will try first to get a Kerberos ticket >> and >>> if that succeeds sends a Negotiate response with a Kerberos token to >> the >>> proxy. >>> If the Windows client fails to get a Kerberos ticket the client will >> send >>> a Negotiate response with a NTLM token to the proxy. Unfortunately >> there> is yet no squid helper which can handle both a >> Negotiate/Kerberos response >>> and a Negotiate/NTLM response (although maybe the samba ntlm helper >> can).> So there is a fallback when you use Negotiate, but it has some >> caveats. >> >> This is not true when Squid is running on Windows: the Windows native >> Negotiate Helper can handle both Negotiate/Kerberos and Negotiate/NTLM >> responses. >> >> Regards >> >> >> Guido Serassio >> Acme Consulting S.r.l. >> Microsoft Gold Certified Partner >> VMware Professional Partner >> Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY >> Tel. : +39.011.9530135 Fax. : +39.011.9781115 >> Email: [email protected] >> WWW: http://www.acmeconsulting.it >> >> > _________________________________________________________________ > Hotmail: Trusted email with powerful SPAM protection. > https://signup.live.com/signup.aspx?id=60969 > > > ** Please consider the environment before printing this e-mail ** > > The information contained in this e-mail is of a confidential nature and is > intended only for the addressee. If you are not the intended addressee, any > disclosure, copying or distribution by you is prohibited and may be unlawful. > Disclosure to any party other than the addressee, whether inadvertent or > otherwise, is not intended to waive privilege or confidentiality. Internet > communications are not secure and therefore Conde Nast does not accept legal > responsibility for the contents of this message. Any views or opinions > expressed are those of the author. > > Company Registration details: > The Conde Nast Publications Ltd > Vogue House > Hanover Square > London W1S 1JU > > Registered in London No. 226900 _________________________________________________________________ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
