Re: [squid-users] ntlm auth and browser dialog

From: Adrian Chadd <[email protected]>
Date: Mon, 25 Sep 2006 16:08:07 +0800

On Mon, Sep 25, 2006, Rolf wrote:

> Firstly is it true that NTLM auth is a bit more secure as it avoids
> passing the credentials in the clear over the wire?

Yes.

> Secondly is the design of NTLM - having the squid box "joined" to the
> AD domain - intended to remove the need to send a proxy auth request
> to the browser, instead using the AD data?

No. The "joining the AD" is so Squid can issue (and cache) authentication
requests to the AD without having to do anything tricky like speak LDAP.
Some people have reported success talking to an AD setup using LDAP, bypassing
the need for the Squid server to be "joined" to the AD. Squid still sends
authentication requests to the browser and forwards those requests off to
the LDAP server.

> What I wish to do is preserve the dialog box presentation in the
> browser to show the Realm string and request user/pass as happens now
> using Basic Auth, but use NTLM instead.

That works fine. In my example I can login using DOMAIN+username via basic
authentication for the few web apps that don't speak NTLM authentication.

Adrian
Received on Mon Sep 25 2006 - 02:07:39 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Oct 01 2006 - 12:00:04 MDT