On Wed, 18 Jun 2008 21:54:19 +0200
Henrik Nordstrom <henrik_at_henriknordstrom.net> wrote:
> On ons, 2008-06-18 at 13:55 +0200, Malte Schröder wrote:
>
> > 2008/06/18 13:42:16| authenticateNegotiateHandleReply: Error validating user
> > via Negotiate. Error returned 'BH received type 1 NTLM token'
> >
> > Negotiate is configured like this:
> > auth_param negotiate program /usr/lib/squid/squid_kerb_auth -i
> > auth_param negotiate keep_alive on
>
> squid_kerb_auth only support Kerberos, but it looks like that your
> client for some reason attempted to use NTLM.
>
> Negotiate is a generic wrapper for WIndows SSP exchanges, and can wrap
> both Kerberos and NTLM, and possibly other Windows authentication
> methods as well..
Would it be possible to make a client fall back to NTLM if we see that
it doesn't do "proper" Negotiate? Maybe by not announcing Negotiate to
a certain client based on User-Agent or IP?
This archive was generated by hypermail 2.2.0 : Thu Jun 19 2008 - 12:00:05 MDT