tor 2006-09-21 klockan 13:00 +0200 skrev Benner, Uwe: > Proxy A and B have to have NTLM authentication. > 1st case both Proxies are squid > 2nd case proxy A = squid proxy B = some appliance
Here is a problem... NTLM can not be forwarded beyond the proxy which performed the NTLM handshake. The protocol is explicitly designed to prevent this. At most can the authenticated username be forwarded either as faked Basic authentication with a static password or as a custom header, but not the NTLM handshake as such. > 1. Client sends http request for www.xyz.com > 2. Proxy A denies and sends an request for authentication to the client > 3. Client sends user/pwd and Proxy A authenticates the user and provides > OK Except that there is no password exchange in NTLM, only a cryptographic one-time hash exchange unique for the authenticating entity. > Does it work, that proxy B is requesting the authentication from the > client again? Only when using basic authentication. Regards Henrik
signature.asc
Description: Detta är en digitalt signerad meddelandedel
