Re: [SQU] NTLM Authentication and Frontpage/IIS/Exchange

Yes. It's on Kinkie and my to-do list once ntlm is bedded down and complete. The auth_rewrite branch was a (successful I think)
attempt to split out the authentication code into modules so that digest can be added very easily.

Unfortunately we (my office) have been unsuccessful to date in getting Digest Authentication to work from IIS unless the IIS server
is an AD server. (MS's doco is a bit confused - some places it quotes "running on an AD DC" and others "AD must be available"....)

Anyway if you'd like to get started on Digest I'm sure we can make a branch off of auth-rewrite for you to get started in.

see rfc 2617 for the spec.

Rob

----- Original Message -----
From: "Timothy L. Minahan" <sysop@scc.edu.au>
To: "Squid-Users@Ircache. Net (E-mail)" <squid-users@ircache.net>
Sent: Friday, December 01, 2000 8:40 AM
Subject: RE: [SQU] NTLM Authentication and Frontpage/IIS/Exchange

>
> Win2K supports digest authentication. It says that it is only for win2k
> computers - has anyone thought of using this with squid?
>
> (More food for thought)
>
> Timothy
>
> -----Original Message-----
> From: Robert Collins [mailto:robert.collins@itdomain.com.au]
> Sent: Friday, 1 December 2000 8:20
> To: Palmer J.D.F.; squid-users@ircache.net
> Subject: Re: [SQU] NTLM Authentication and Frontpage/IIS/Exchange
>
>
> From the FAQ:
> http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.14
>
> The ntlm branch in squid add ntlm authentication to the proxy_auth acl's
> used by squid. Note that NTLM cannot be proxied (even by
> microsoft proxy server).
>
> 11.14 How come Squid doesn't work with NTLM Authorization.
> We are not sure. We were unable to find any detailed information on NTLM
> (thanks Microsoft!), but here is a reference.
>
>
> We quote from the summary at the end of the browser authentication
> section:
>
> In summary, Basic authentication does not require an implicit
> end-to-end state, and can therefore be used through a proxy server.
> Windows NT Challenge/Response authentication requires implicit
> end-to-end state and will not work through a proxy server.
>
>
> Squid transparently passes the NTLM request and response headers between
> clients and servers. NTLM relies on a single end-end
> connection (possibly with men-in-the-middle, but a single connection
> every step of the way. This implies that for NTLM
> authentication to work at all with proxy caches, the proxy would need to
> tightly link the client-proxy and proxy-server links, as
> well as understand the state of the link at any one time. NTLM through a
> CONNECT might work, but we as far as we know that hasn't
> been implemented by anyone, and it would prevent the pages being cached
> - removing the value of the proxy.
>
>
> NTLM authentication is carried entirely inside the HTTP protocol, but is
> different from Basic authentication in many ways.
>
>
> 1.. It is dependent on a stateful end-to-end connection which collides
> with RFC 2616 for proxy-servers to disjoin the client-proxy
> and proxy-server connections.
> 2.. It is only taking place once per connection, not per request. Once
> the connection is authenticated then all future requests on
> the same connection inherities the authentication. The connection must
> be reestablished to set up other authentication or
> re-identify the user.
>
> The reasons why it is not implemented in Netscape is probably:
>
>
> a.. It is very specific for the Windows platform
> b.. It is not defined in any RFC or even internet draft.
> c.. The protocol has several shortcomings, where the most apparent one
> is that it cannot be proxied.
> d.. There exists an open internet standard which does mostly the same
> but without the shortcomings or platform dependencies:
> digest authentication.
>
>
> ----- Original Message -----
> From: "Palmer J.D.F." <J.D.F.Palmer@swansea.ac.uk>
> To: <squid-users@ircache.net>
> Sent: Friday, December 01, 2000 3:54 AM
> Subject: [SQU] NTLM Authentication and Frontpage/IIS/Exchange
>
>
> > Hello,
> >
> > I am new to the list and therefore apologise for asking you 'noddy'
> > questions, but I'm a bit stuck.
> >
> > The scenario:
> >
> > Here at the University of Wales Swansea we are running Squid on Red
> hat 6.0
> > and at present all student web (http) traffic goes through this cache
> (or
> > its backup box). It is my aim to route all staff traffic through this
> cache
> > also, the problem is that several of our web servers and all email
> servers
> > are NT boxes running a combination of Exchange 5.5, IIS 4 or IIS 5.
> > We have 2 domains, each having a primary and secondary domain
> controller.
> >
> > However if I route through the cache no one can authenticate to the
> various
> > NT servers (to either read email via the web or to publish webs via
> > frontpage), I realise that it is possible to use basic authentication
> but it
> > is not really an option here.
>
> You might try Digest or SSL+Basic
>
> >
> > So I have built myself a development cache running Suse 7 and Squid
> > 2.4-20001129, I have patched this version of squid with the NTLM patch
> and
> > have managed to compile it successfully. But the problem I have is
> that it
> > doesn't seem to make any difference.
>
> Because you are trying to pass NTLM through it, not authenticate to it.
>
> > I have read that a few of you have had success in getting ntlm_auth to
> work,
> > so I was hoping that someone would be able to tell what I'm missing
> out or
> > doing wrong.
>
> Assuming the Microsoft designed their security protocol with an eye to
> scalable systems is your only mistake :-]
>
> > Do I need to specify the domain controllers somewhere?
>
> To authenticate with NTLM yes. For what you are doing, no. If you want
> to try the authentication out (just for kicks!). then read
> on...
>
> > The configure options that I used were
> >
> > --enable-ntlm-authentication
> > --enable-basic-authentication
> > --enable-auth-modules='NCSA NTLM'
> > --enable-ntlm-auth-modules="NTLMSSP"
> >
> > and I uncommented the: # athenticate_program_ntlm
> > from the squid.conf file.
>
> The line you uncommented is an example line. IT WILL NOT WORK. You must
> add in your site specific configuration.
>
> Rob
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html