Re: [squid-users] TCP_DENIED/407 using NTLM auth: is there a way to avoid it?

From: Henrik Nordstrom <[email protected]>
Date: 07 Feb 2003 17:18:27 +0100

This is from how the broken by design MS NTLM over HTTP scheme works..

On each new TCP connection there is

 1. A request without any user information
 2. A request with partial user information (computer & domain)
 3. A request with full user information

Subsequent requests on the same TCP connection is automatically
authenticated.

This is very different from how HTTP specifies that authentication
should take place.

To get rid of the majority of these messages you can switch to the HTTP
compliant Basic or Digest authentication schemes..

Regards
Henrik
 

fre 2003-02-07 klockan 14.28 skrev ikilledkenny@zipmail.com.br:
> Hi!
>
> I'm using Squid 2.5 with NTLM authentication against a Windows NT 4 domain.
> The clients use Internet Explorer, versions 5 to 6 SP1. Everything works
> fine, but I was wondering if there was a way to get rid of those TCP_DENIED/407
> messages. I don't know if I'm right, but it looks like every request made
> to the Squid comes first with no user on it, and then it gets sent again,
> this time with a user to authenticate against the NT domain. Is there a
> way to make the IE clients authenticate right on the first try? I mean...it
> looks like a waste of bandwidth, time and processing, not mentioning the
> unnecessary entries on the access.log...
>
> Thanks for the attention, and sorry if this question was already answered
> in another post... I've looked a lot for it, but couldn't find anything...
>
>
> Konrad Sauer
>
>
>
>
>
> ------------------------------------------
> Use o melhor sistema de busca da Internet
> Radar UOL - http://www.radaruol.com.br

-- 
Henrik Nordstrom <hno@squid-cache.org>
MARA Systems AB, Sweden
Received on Fri Feb 07 2003 - 09:23:33 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:16 MST