On Tue, 20 Sep 2005, Dave Raven wrote:
Is it possible to use digest as a failover to ntlmssp?
Yes. if your browser allows so. You can even configure all three shemes (NTLM, Digest, Basic). Browsers are supposed to select the strongest of the offered schemes, but in reality they tend to select the first they support of the offered schemes. The order offered by Squid is the same as your auth_param directives in squid.conf.
So summed up - is it possible to authenticate against an ntlm server as basic does, but with digest between the client and the cache?
The use of digest requires a digest compatible backend. Currently this only includes a local digest specific password file on the cache server.
In squid-3 there is an enhanced Digest helper also supporting LDAP storage of the digest passwords (both plain-text and hashed formats supported), but this still requires Digest specific attributes to be available in the LDAP server and is not using the same password mechanisms as normal LDAP authentication.
There is hope to eventually supporting integration with "real" Digest capable authentication backends such as ADS or Radius but unfortunately there is very little standard on how to integrate Digest authentication with a authentication server and in addition the Squid Digest implementation needs some redesign to allow for such integration. But there is good hope both issues will resolve over time making Digest authentication as easy to use as Basic authentication in most networks.
Regards Henrik