On 30/06/2012 11:36 p.m., Navas wrote:
Hi,
I have setup squid authentication with Kerberos to the 2003 Active
Directory. I could test it successfully to all browsers but failed in IE6.
So I used following squid.conf to get NTLM auth for IE6
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#auth_param negotiate program /usr/sbin/squid_kerb_auth -d
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=SYSNET.LOCAL --kerberos /usr/sbin/squid_kerb_auth -d -s
GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive on
### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=SYSNET.LOCAL
auth_param ntlm children 10
auth_param ntlm keep_alive off
acl auth proxy_auth REQUIRED
But the question is it need separate configuration as in ### pure ntlm
authentication for specifically for NTLM?
Is it never work with first entries only which supposed to be worked with
both NTLM and Kerberos ?
Yes it needs to be a seprate configuration for IE6 and older software
which only supports "pure" NTLM.
The newer software will know that NTLM can be reponded using
Negotiate/NTLM. But then you would not have had problems with negotiate
to start with if they were doing that properly.
Amos
