Re: [squid-users] NTLM Group Pop up screen

From: Josh <[email protected]>
Date: Wed, 9 Oct 2002 17:19:54 -0700

Im not a squid expert, but what you may be experiencing is how windows (IE)
handles authentication.
(I haven't yet configured squid to use NTLM)

If squid is using NTLM, and IE perceives your proxy to be on your local
network/domain, then it will automatically and silently answer an NTLM
challenge
by default. It will prefer NTLM over Basic.

If squid returns 403 when bad credentials are used, (the challenge fails),
then
IE will not pop up the dialog for credentials.
The MSFT proxy, for example, continues to return 407 even with
bad credentials/challenge, which makes IE pop up the dialog.

josh cohen

----- Original Message -----
From: "Edward Mann" <edward@arctechnology.com>
To: "Jerry Murdock" <jmurdock@itraktech.com>
Cc: "Guido Serassio" <serassio@libero.it>; "Squid Users"
<squid-users@squid-cache.org>
Sent: Wednesday, October 09, 2002 3:04 PM
Subject: Re: [squid-users] NTLM Group Pop up screen

> Here is my setup doing what your suggested.
>
> auth_param ntlm program /usr/lib/squid/wb_ntlmauth
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
>
> auth_param basic program /usr/lib/squid/wb_auth
> auth_param basic children 5
> auth_param basic realm ChoicePoint Proxy server
> auth_param basic credentialsttl 2 hours
>
> external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group
> acl FullAccess external NT_global_group internet
> acl internet proxy_auth REQUIRED
>
> http_access deny !FullAccess internet
> http_access allow internet
>
>
> I think i have something missing here. Can you point it out and tell me?
>
> Thanks for your help.
>
>
> On Wed, 2002-10-09 at 16:12, Jerry Murdock wrote:
> > What are your current http_access entries?
> >
> > Generally, if your proxy_auth acl is part of the denying http_access
line,
> > the login will be offered again. ie:
> >
> > This will go directly to an access denied page:
> > http_access deny !My_InternetGroup_ACL
> > http_access allow My_Proxy_Auth_ACL
> >
> > This will cause a login prompt:
> > http_access deny !My_InternetGroup_ACL My_Proxy_Auth_ACL
> > http_access allow My_Proxy_Auth_ACL
> >
> > Jerry
> >
> > ----- Original Message -----
> > From: "Edward Mann" <edward@arctechnology.com>
> > To: "Guido Serassio" <serassio@libero.it>
> > Cc: <squid-users@squid-cache.org>
> > Sent: Wednesday, October 09, 2002 4:38 PM
> > Subject: Re: [squid-users] NTLM Group Pop up screen
> >
> >
> > > Hey,
> > >
> > > After reading my original message i realized that i had not made
myself
> > > clear. So here is my second run at it.
> > >
> > >
> > > I have a group on our Domain called internet. If you are in this group
> > > then you are able to surf the web.(cool!) If you are not you get an
> > > Access denied page.(not Cool!) What I would like is before you are
given
> > > that page, you are prompted to supply a username and password. Once
you
> > > fail that then you get the Access denied screen.
> > >
> > > Thanks.
> > >
> > >
> > >
> > > On Wed, 2002-10-09 at 15:28, Guido Serassio wrote:
> > > > Hi,
> > > >
> > > > At 22.19 09/10/2002, Edward Mann wrote:
> > > > >I have been successful in getting NTLM and Group auth to work. I am
> > > > >going to write a HOW-TO if anyone is interested. Please let me know
> > > > >
> > > > >Now my question.
> > > > >
> > > > >Since i have it working, when a user goes to the web, they are
given
> > the
> > > > >Access denied screen. This is cool, but i would like to know if
when
> > the
> > > > >user is not found in the group that the dialog box for username
> > password
> > > > >is returned to them. I have tested this with a ISA box that some of
the
> > > > >people that i work with would like to move the company over to. Is
this
> > > > >possible? Does the code need to be modified to do this or am i
missing
> > > > >an option?
> > > >
> > > > I think that You are using External ACL for group membership check,
if
> > this
> > > > is true, take a look on the deny_info squid.conf directive.
> > > >
> > > > Regards
> > > >
> > > > Guido
> > > >
> > > >
> > > >
> > > > -
> > > > =======================================================
> > > > Serassio Guido
> > > > Via Albenga, 11/4 10134 -
Torino -
> > ITALY
> > > > E-mail: guido.serassio@serassio.it
> > > > WWW: http://www.serassio.it
> > >
>
Received on Wed Oct 09 2002 - 18:21:04 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:39 MST