On 22/02/2013 5:06 a.m., Francesco wrote:
hello,
i am trying Squid kerberos authentication instead of NTLM authentication
due to resolve compatibility issue with latest version of windows.
Only two things if i can:
1) in squid.conf, i have to specify windows user with the first capital
letter. Ex: user = User@DOMAIN.
If i specify user@DOMAIN i have no authentication to surf
Case sensitivity has nothing to do with Squid. The user details are part
of the encrypted data transferred directly between your client software
and your authentication system. When users login the authentication
system informs Squid what username just logged in - Squid uses that
label exactly as received.
2) squid/access.log, in some page, i see a DENIED request and then a
TCP_MISS with the same page. It seems the browser try to access to a page
and it is not authenticated by the proxy server. Then the client retries
and can reach the page. Is it normal?
Yes. This is how authentication works in general. Client connects,
server requests credentials, client repeats with credentials and gets
whetever response is appropriate for that.
If you were using Basic authentication it allows user credentials to be
sent by the browser on brand new requests so that the server challenge
part does not happen.
If you were using persistent connections in HTTP that allows a pipeline
of multiple requests to be sent on one connection with the same
credentials, reducing the connection count and thus the time auth
handshake has to occur.
... either one of these may have been happening previously such that
you would see some or most requests "just working" instead of every
single one being prefixed by a DENIED/407 handshake.
Amos
