On 14/01/2012 4:41 a.m., Javier Conti wrote:
Hi list,
I'm trying to setup access to several internal websites that use
Integrated Windows Authentication in a Windows XP/7/2008
environment through Squid 3.1.12. I successfully setup Squid
to authenticate users using Kerberos or NTLM. With Internet
Explorer and Firefox, users successfully authenticate to squid
and get access to all websites (those without Integrated
Windows Authentication actually work fine).
However, all websites using Integrated Windows Authentication
respond with a 401.1 Access Denied error, as it seems the
request reaches the web server without information about the
user's credential. Accessing those websites directly, works fine.
I still don't fully understand how Integrated Windows Authentication
really works, but is anyone successfully using it through a proxy?
Any hints or links to documentation on how it should work in detail?
Thanks, Javier
NTLM does not work over the Internet due to the way it requires breaking
HTTP protocol. Not many admin are happy breaking overall network
performance to cater for MS product design.
Kerberos is updated to fix several of the major problems NTLM had in the
handshake portion. As a result of that change it shodul in theory work
over the Internet more often. It still requires persistent connections
for anything like good performance and still depends on the "pinning"
hack to break HTTP multiplexing and emulate a end-to-end TCP connection.
So the asnwer is "yes, it works successfuly through Squid." but that
does not cover whether it works through any of your hardware, firewalls,
IDS systems, NAT systems your upstream providers, their providers, the
sites provider etc. There is a LOT of hardware and software involved.
Any one of which could break the requirements Windows LAN auth systems
depend on.
The authentication protocols which were designed to work as part of the
HTTP protocol operate just fine when sent over the Internet. As you saw.
Amos
