RE: [SQU] NTLM Authentication and Frontpage/IIS/Exchange

From: Timothy L. Minahan <sysop@dont-contact.us>
Date: Fri, 1 Dec 2000 08:40:09 +1100

Win2K supports digest authentication. It says that it is only for win2k
computers - has anyone thought of using this with squid?

(More food for thought)

Timothy

-----Original Message-----
From: Robert Collins [mailto:robert.collins@itdomain.com.au]
Sent: Friday, 1 December 2000 8:20
To: Palmer J.D.F.; squid-users@ircache.net
Subject: Re: [SQU] NTLM Authentication and Frontpage/IIS/Exchange

From the FAQ:
http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.14

The ntlm branch in squid add ntlm authentication to the proxy_auth acl's
used by squid. Note that NTLM cannot be proxied (even by
microsoft proxy server).

11.14 How come Squid doesn't work with NTLM Authorization.
We are not sure. We were unable to find any detailed information on NTLM
(thanks Microsoft!), but here is a reference.

We quote from the summary at the end of the browser authentication
section:

  In summary, Basic authentication does not require an implicit
end-to-end state, and can therefore be used through a proxy server.
Windows NT Challenge/Response authentication requires implicit
end-to-end state and will not work through a proxy server.

Squid transparently passes the NTLM request and response headers between
clients and servers. NTLM relies on a single end-end
connection (possibly with men-in-the-middle, but a single connection
every step of the way. This implies that for NTLM
authentication to work at all with proxy caches, the proxy would need to
tightly link the client-proxy and proxy-server links, as
well as understand the state of the link at any one time. NTLM through a
CONNECT might work, but we as far as we know that hasn't
been implemented by anyone, and it would prevent the pages being cached
- removing the value of the proxy.

NTLM authentication is carried entirely inside the HTTP protocol, but is
different from Basic authentication in many ways.

  1.. It is dependent on a stateful end-to-end connection which collides
with RFC 2616 for proxy-servers to disjoin the client-proxy
and proxy-server connections.
  2.. It is only taking place once per connection, not per request. Once
the connection is authenticated then all future requests on
the same connection inherities the authentication. The connection must
be reestablished to set up other authentication or
re-identify the user.

The reasons why it is not implemented in Netscape is probably:

  a.. It is very specific for the Windows platform
  b.. It is not defined in any RFC or even internet draft.
  c.. The protocol has several shortcomings, where the most apparent one
is that it cannot be proxied.
  d.. There exists an open internet standard which does mostly the same
but without the shortcomings or platform dependencies:
digest authentication.

----- Original Message -----
From: "Palmer J.D.F." <J.D.F.Palmer@swansea.ac.uk>
To: <squid-users@ircache.net>
Sent: Friday, December 01, 2000 3:54 AM
Subject: [SQU] NTLM Authentication and Frontpage/IIS/Exchange

> Hello,
>
> I am new to the list and therefore apologise for asking you 'noddy'
> questions, but I'm a bit stuck.
>
> The scenario:
>
> Here at the University of Wales Swansea we are running Squid on Red
hat 6.0
> and at present all student web (http) traffic goes through this cache
(or
> its backup box). It is my aim to route all staff traffic through this
cache
> also, the problem is that several of our web servers and all email
servers
> are NT boxes running a combination of Exchange 5.5, IIS 4 or IIS 5.
> We have 2 domains, each having a primary and secondary domain
controller.
>
> However if I route through the cache no one can authenticate to the
various
> NT servers (to either read email via the web or to publish webs via
> frontpage), I realise that it is possible to use basic authentication
but it
> is not really an option here.

You might try Digest or SSL+Basic

>
> So I have built myself a development cache running Suse 7 and Squid
> 2.4-20001129, I have patched this version of squid with the NTLM patch
and
> have managed to compile it successfully. But the problem I have is
that it
> doesn't seem to make any difference.

Because you are trying to pass NTLM through it, not authenticate to it.

> I have read that a few of you have had success in getting ntlm_auth to
work,
> so I was hoping that someone would be able to tell what I'm missing
out or
> doing wrong.

Assuming the Microsoft designed their security protocol with an eye to
scalable systems is your only mistake :-]

> Do I need to specify the domain controllers somewhere?

To authenticate with NTLM yes. For what you are doing, no. If you want
to try the authentication out (just for kicks!). then read
on...

> The configure options that I used were
>
> --enable-ntlm-authentication
> --enable-basic-authentication
> --enable-auth-modules='NCSA NTLM'
> --enable-ntlm-auth-modules="NTLMSSP"
>
> and I uncommented the: # athenticate_program_ntlm
> from the squid.conf file.

The line you uncommented is an example line. IT WILL NOT WORK. You must
add in your site specific configuration.

Rob

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Thu Nov 30 2000 - 14:45:02 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:45 MST