At 09.13 08/09/2003, Henrik Nordstrom wrote:
On Sun, 7 Sep 2003, Serassio Guido wrote:
> I have tried too this solution, but the things seems to more instable.
In what way?
Very high rate of random authentication pop-ups.
> I have some doubt about challenge's reuse: with this type authenticator, > challenge can be reused ?
The challenge packet should never be reused, but if you have clients which are guaranteed to be compatible then it may work for NTLM if you are lucky.
As in the other message to Robert:
It seems that in Squid there is a problem:
I'm using auth_param ntlm max_challenge_reuses 0, but sometimes I get a KK without a YR, so the helper sends a BH to squid and Internet Explorer pop-ups for authentication.
In NTLMv2 the challenge packet can not be reused at all.
> Another question: it works fine with Mozilla's NTLM and with IE when the > machine is in the right domain, when the machine is in another domain, IE > pop-up randomly asking username/password/domain again.
No idea.
> So, if possible, do you can give a look to the sources to see if there > anything missing ?
I can try, but I am very buzy with other tasks at the moment.
Robert or Kinkie: Do you have any possibility to look into this?
To make such verification easier, please collect the following pieces of information:
1. access.log with log_mime_hdrs 2. traffic to/from the helper, identified by helper instance 3. calls & responses from the Windows SSP module, identified by helper instance.
OK, i will collect some transation logs, currently I have tested it with NT 4, 2000 and 2003 clients.
I have added to the helper an hex dump capability to dump in hex format the NTLM packets in the log, this is very useful to check what happens.
Regards
Guido
- ======================================================== Guido Serassio Acme Consulting S.r.l. Via Gorizia, 69 10136 - Torino - ITALY Tel. : +39.011.3249426 Fax. : +39.011.3293665 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
