On Fri, 12 Aug 2005, Tay Teck Wee wrote:
1) But it would be most strange that squid on version
2.4 could serve up the pop-up auth box while version
2.5 cannot.
Not at all.
2.4 does not know about the HTTP breakage introduced by Microsoft in their
NTLM & Negotiate authentication schemes, and will happily forward the
messages as seen resulting in total caos after a while (including major
security issues on the server).
2.5 knows both NTLM and Negotiate violates HTTP and can not be proxied in
a good manner.
Also newer versions of MSIE and IIS also knows this and will automatically
disable the use of NTLM and Negotiate when a proxy is detected.
This said Micriosoft some time ago documented a method whereby proxies can
announce that they know how to proxy NTLM and Negotiate. This unofficial
HTTP extension is not supported by Squid or likely to ever become an
official part of the HTTP specifications.
NTLM and it's successor Negotiate was never intended by Microsoft to be
used outside a local LAN. The whole protocol is a quick hack to get the
transparent authentication used for Windows file sharing with clients
logged on to a domain also working for intranet access on the local LAN.
Other uses of these authentication mechanisms is outside their intended
scope.
2) Besides suggesting Basic authentication or Digest
authentication for the web site, is there any
workaround on squid side? This is because we are an
ISP and have no control over the webserver concerned.
You could additionally try vonvince the site owner that if the data is
sensitive requiring authentication then perhaps it is also a good idea to
protect the transfers by using https.
A "workaround" on the Squid side would see to have the Microsoft HTTP
extension including it's delicate implications on HTTP connection
management implemented in Squid. The extension is found in the same
Internet-Draft document documenting the Negotiate (Kerberos over HTTP)
authentication scheme ("draft-jaganathan-kerberos-http-01", section "6.
Security Considerations").
Regards
Henrik
