Re: [squid-users] Eliminate PopUP authentication for web Windows Users

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 22 Mar 2013 22:43:04 +1300

On 22/03/2013 11:18 a.m., Leonardo Rodrigues wrote:
>
> basic authentication type will always prompt for
> username/password, there's nothing wrong with it and no way to avoid
> it nor 'fix' it as there's nothing wrong at all
>

Not true. There is no more or less reason for Basic auth scheme to cause
a popup than any other. If the browser is able to find credentials that
will work against the proxy it can send them without a popup asking for
others. This is true for *all* authentication types. How the browser
gets credentials is all well outside the scope of Squid interaction.
User popup is one potential source of credentials amongst many.

> if your users are authenticated in your domain and you want squid do
> 'automagically' use those credentials for web surfing, then you'll
> have to change your authentication type to ntlm or digest or negotiate.
>
> i have LOTS of squid boxes authenticanting on ADs using ntlm
> authentication type. It's a lot more complicated to configure than
> basic type but, once configured, it works just fine and simply.

On the other hand NTLM is officially deprecated more than 10 years ago
and officially removed from the last several generations of MS products.
Carlos, if you don't already know and use NTLM try to go straight to
Kerberos with the Negotiate auth scheme.

> Em 21/03/13 18:45, Carlos Daniel Perez escreveu:
>> Hi,
>>
>> I have a Squid server configured to make querys in one ActiveDirectory
>> server trough squid_ldap_group. The query it's OK and authenticated
>> users
>> can surf the web. But, my users need to put their users and password
>> when
>> open a browser.
>>
>> [ ... ]
>> My squid_ldap_auth line is: auth_param basic program
>> /usr/lib/squid3/squid_ldap_auth -R -d -b dc=enterprise,dc=com -D
>> cn=support,cn=Users,dc=enterprise,dc=com -w 12345 -f sAMAccountName=%s
>> -h
>> 192.168.2.1
>

What traffic is going through? I think that helper does not strip the
Windows realm off the username if the browser is sending the NTLM
credentials across Basic scheme.

What version of Squid are you using (looks old if it still contains
binary named squid_ldap_auth). Some of the 3.x don't support NTLM
credentials well.

What browser is the problem showing up with? browser other than IE have
a hard time locating the Windows login credentials to use SSO.

Amos
Received on Fri Mar 22 2013 - 09:43:17 MDT

This archive was generated by hypermail 2.2.0 : Fri Mar 22 2013 - 12:00:05 MDT