Horváth Szabolcs wrote:
Hi,
I have a question about NTLM authentication protocol. Here is my relevant squid conf:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=internet-group
auth_param ntlm children 100
auth_param ntlm max_challenge_reuses 100
auth_param ntlm max_challenge_lifetime 5 minutes
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow AuthorizedUsers
http_access deny all
When a user, who is not the member of "internet-group", requests a webpage, authentication window appears (login and password).
In the proxy side, I see:
1138260038.968 0 10.2.32.248 TCP_DENIED/407 1428 GET http://www.index.hu/ - NONE/- text/html
1138260038.971 0 10.2.32.248 TCP_DENIED/407 1418 GET http://www.index.hu/ - NONE/- text/html
1138260038.977 4 10.2.32.248 TCP_DENIED/407 1428 GET http://www.index.hu/ - NONE/- text/html
My question is: is this the correct working?
http://en.wikipedia.org/wiki/NTLM
I think the first and second case, 407 answer is correct, because we have no information about if the authentication succeed.
But, when the client send the type 3 response, squid will access or deny the user. When denied, why send back 407
This is fine,
If a proxy does not accept the credentials sent with a
request, it SHOULD return a 407 (Proxy Authentication Required).
See the 2617 RFC.
Thanks
--
Emilio Casbas
