Re: [squid-users] Digest Auth + windows domain

From: Henrik Nordstrom <[email protected]>
Date: Thu, 23 Mar 2006 00:50:45 +0100

ons 2006-03-22 klockan 12:07 -0500 skrev Jason Gauthier:

> Is it even possible to utilize digest authentication to
> "transparently" authenticate to a windows domain?

Technically yes, but no.

MSIE does not support single-sign-on with Digest authentication.

Squid does not yet support Digest authentication integration with MSAD
(or another Digest capable directory service), and the details how to do
this from an non-Windows server in the domain has not been reverse
engineered yet. Additionally it requires "reversibly encrypted
passwords" to be enabled in the directory which defaults off for
security reasons..

It is also worth noticing that the Digest implementation in MSIE is
quite crappy. Probably in part due to Digest normally not being enabled
nor recommended in the Windows world..

> Or is this only possible with NTLM?

Today NTLM or SPNEGO is the only options for single-sign-on in a Windows
domain.

Regards
Henrik

Received on Wed Mar 22 2006 - 16:51:00 MST

This archive was generated by hypermail pre-2.1.9 : Sat Apr 01 2006 - 12:00:04 MST