Re: [squid-users] Authenticate with ISA parent

From: Henrik Nordstrom <[email protected]>
Date: Tue, 25 Feb 2003 12:08:54 +0100

The ISA is configured to require "Microsoft Integrated" login over
HTTP... (technically not a HTTP authentication method, but disguises
itself as one..)

You have three options:

a) To have the ISA server reconfigured to also accept Basic
authentication, as required to be able to use the ISA proxy service
with anything else than Microsoft Explorer.. (i.e. Squid,
Netscape/Mozilla etc...) (requires cooperation from the ISA server
administrator)

b) Use a Basic->NTLM proxy gateway between Squid and the ISA server
(not the best performance..)

c) Have Squid extended to perform the NTLM negotiation to parent peers
automatically without the need for a separate Basic->NTLM
authentication gateway. (requires coding)

Regards
Henrik

On Tuesday 25 February 2003 11.43, Matthew Robinson wrote:
> Hi,
>
> I've just come up against a requirement to get a local Squid proxy
> talking to an upstream ISA server that requires authentication.
>
> The same box has been used before to talk to other upstream Squid
> servers that also require authentication (the standard
> login=user:password parameter to cache_peer worked there fine).
>
> With the ISA login it seems a domain needs to be specified at
> authentication time too, which can't be explicitly defined with
> cache_peer.
>
> I've heard that Windows authentication can (in some cases) be
> passed in the format of "DOMAIN/USERNAME" as the username in order
> to pass both values, but this didn't seem to work for me.
>
> Apologies if the answer is staring me in the face, I've searched
> the archives of this list & done the usual google groundwork but
> have come up with nothing.
>
> Thanks in advance,
>
> Matt
Received on Tue Feb 25 2003 - 04:08:26 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:36 MST