[squid-users] Integrated Authentication
Hi, I'm running samba3 and using the integrated NTLM authentication so our users get authenticated to the AD Domain when they use their IE, without being asked for a username / password. If they aren't logged into the AD domain, a popup it´s open on their browsers asking for its username / password. So, what I need, it's disable this last option to run, forcing to all users to are logged into the AD if they want to use Internet. I'm using the ntlm_auth authentication helper, what and how I can do it? Thanks!
[squid-users] Integrated Authentication
I'm still trying to force my users to be logged with their workstation into the Active Directory, if they want to use the Internet proxy, with a user/password/domain popup authentication window request disable from the proxy. As long as I understand, I have the following "truths": - A proxy can authenticate an Active Directory user by using Integrated Windows Authentication, so no user/password/domain is requested and windows logon credentials are used, and to do that it can use as authentication protocols NTLM or Kerberos. These protocols are used between the browser and the proxy. - MS ISA 2004 support both (/NTLM and Kerberos) authentication protocols - Squid support only NTLM authentication protocol - IE 6 support Kerberos authentication protocol, but it doesn't work if you are using a workstation with Win9x/Me/NT Operating System. So, because Squid only suppport NTLM authentication protocol, I can't disable from the proxy the popup authentication to the AD, neither disable it if I have in the net workstations with Win9x/Me/NT Operating System. I'm right? Thanks! --- Begin Message --- Hi, I'm running samba3 and using the integrated NTLM authentication so our users get authenticated to the AD Domain when they use their IE, without being asked for a username / password. If they aren't logged into the AD domain, a popup it´s open on their browsers asking for its username / password. So, what I need, it's disable this last option to run, forcing to all users to are logged into the AD if they want to use Internet. I'm using the ntlm_auth authentication helper, what and how I can do it? Thanks! --- End Message ---
Re: [squid-users] Integrated Authentication
Hi, At 17.51 10/05/2005, fryxar wrote: I'm still trying to force my users to be logged with their workstation into the Active Directory, if they want to use the Internet proxy, with a user/password/domain popup authentication window request disable from the proxy. As long as I understand, I have the following "truths": - A proxy can authenticate an Active Directory user by using Integrated Windows Authentication, so no user/password/domain is requested and windows logon credentials are used, and to do that it can use as authentication protocols NTLM or Kerberos. These protocols are used between the browser and the proxy. - MS ISA 2004 support both (/NTLM and Kerberos) authentication protocols - Squid support only NTLM authentication protocol - IE 6 support Kerberos authentication protocol, but it doesn't work if you are using a workstation with Win9x/Me/NT Operating System. So, because Squid only suppport NTLM authentication protocol, I can't disable from the proxy the popup authentication to the AD, neither disable it if I have in the net workstations with Win9x/Me/NT Operating System. I'm right? Thanks! No, you are not right. Using NTLM authentication schema you can authenticate your DOMAIN clients (Win 9x, NT4, W2k, ...) logged with a DOMAIN user without any prompt using Squid or ISA Server. If you are logged with a LOCAL user account, you will be ALWAYS prompted for username/password/domain with both Squid or ISA Server. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Integrated Authentication
On Tue, 10 May 2005, fryxar wrote: - MS ISA 2004 support both (/NTLM and Kerberos) authentication protocols Not sure about the Kerberos part, at leas not when running as a HTTP proxy. The WINSOCKS proxy part most certainly supports both. - Squid support only NTLM authentication protocol Kerberos (Negotiate scheme) is on the way. See http://devel.squid-cache.org/. Also dependent on Samba where this is not quite ready yet. - IE 6 support Kerberos authentication protocol, but it doesn't work if you are using a workstation with Win9x/Me/NT Operating System. According to my information IE 6 only supports Kerberos to web servers, not proxies. There is no obvious reasons to why it should not support Kerberos authentication to HTTP proxies but all information I have seen indicates it does not support this. So, because Squid only suppport NTLM authentication protocol, I can't disable from the proxy the popup authentication to the AD, neither disable it if I have in the net workstations with Win9x/Me/NT Operating System. You can't disable either NTLM or Kerberos login popups from the proxy. To the proxy there is no difference if the user has logged in directly to the domain, or on demand via the popup. In both cases the user is logged in to the domain in the eye of the proxy. If you want to stop this it has to be done by domain policies, making the client refuse to allow the user to log in using the popup. Not sure if this is possible. Regards Henrik
