----- Original Message -----
From: "Henrik Nordstrom" <hen...@henriknordstrom.net>
To: "Markus Moeller" <hua...@moeller.plus.com>
Cc: <squid-dev@squid-cache.org>
Sent: Saturday, March 06, 2010 10:26 AM
Subject: Re: "negotiate" auth with fallback to other schemes
fre 2010-03-05 klockan 20:44 +0000 skrev Markus Moeller:
I don't understand this part. Usually the kdc is on AD so how can NTLM
work
and Kerberos not ?
The NTLM client just needs the local computer configuration +
credentials entered interactively by the user. All communication with
the AD is indirect via the proxy. The client do not need any form of
ticked before trying to authenticate via NTLM, just the username +
domain + password.
For similar reasons NTLM also do not have any protection from mitm
session theft. Meaning that the auth exchange done to the proxy may just
as well be used by a mitm attacker to authenticate as that client to any
server in the network for any purpose.
So it makes the statement "Kerberos may fail just because the client
has no connectivity with the KDC, and in this case NTLM could be a
useful second choice" false. Since in the case of NTLM will fail too as
the kdc (AD) is unavailable
Regards
Henrik
Regards
Markus
