Markus Moeller wrote:
> Does anybody know how a Windows client determines the right
> authentication mechanism ? I have a case where most clients are on a
> Windows domain and squid_kerb_auth works fine. Now I have clients from
> visitors which have never been on the domain. Can I send to these
> clients a list of authentication mechanisms (e.g. Negotiate Digest
> Basic) ? If so would the client choose always Negotiate with NTLM ?
>
> Thank you
> Markus
>
IIRC it's first-known mechanism from the list of headers received in
line-order.
Depends on the windows API or library the app is built against as to
what is supported. The old API only does Basic or NTLM, the newer IE or
.NET based libraries (I'm ot sure which) seem to do Negotiate as well. I
suspect from the talk of deprecating NTLM that there is probably a new
API in Vista++ which does or will do only Basic + Negotiate.
Digest may fit in there too somehow.
IME, I think sending the correct realm or domain in the NTLM or
Negotiate auth headers may prevent clients attempting auth with a known
mechanism if they are not part of the domain.
Amos
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 Current Beta Squid 3.1.0.14Received on Mon Nov 02 2009 - 10:43:08 MST
This archive was generated by hypermail 2.2.0 : Tue Nov 03 2009 - 12:00:02 MST