On Tue, 10 May 2005, fryxar wrote:
- MS ISA 2004 support both (/NTLM and Kerberos) authentication protocols
Not sure about the Kerberos part, at leas not when running as a HTTP proxy. The WINSOCKS proxy part most certainly supports both.
- Squid support only NTLM authentication protocol
Kerberos (Negotiate scheme) is on the way. See http://devel.squid-cache.org/. Also dependent on Samba where this is not quite ready yet.
- IE 6 support Kerberos authentication protocol, but it doesn't work if you are using a workstation with Win9x/Me/NT Operating System.
According to my information IE 6 only supports Kerberos to web servers, not proxies. There is no obvious reasons to why it should not support Kerberos authentication to HTTP proxies but all information I have seen indicates it does not support this.
So, because Squid only suppport NTLM authentication protocol, I can't disable from the proxy the popup authentication to the AD, neither disable it if I have in the net workstations with Win9x/Me/NT Operating System.
You can't disable either NTLM or Kerberos login popups from the proxy. To the proxy there is no difference if the user has logged in directly to the domain, or on demand via the popup. In both cases the user is logged in to the domain in the eye of the proxy.
If you want to stop this it has to be done by domain policies, making the client refuse to allow the user to log in using the popup. Not sure if this is possible.
Regards Henrik
