Hi,
Guillermo Gomez wrote:
Mark Elsen wrote:
My situation is simple:
A web site is using NTLM authentication ans ask the user for credentials
(without squid).
Our squid goes out trhough a NAT connection, then when the user tries
with squid configured, and IIS error shows up in the browser saying:
You are not authorized to view this page
You do not have permission to view this directory or page using the
credentials that you supplied because your Web browser is sending a
WWW-Authenticate header field that the Web server is not configured to
....
http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.14
Some extracts from this FAQ section :
+We cannot proxy connections to a origin server that use NTLM
authentication, but we can act as a web accelerator or proxy server
and authenticate the client connection using NTLM.
...
+The protocol has several shortcomings, where the most apparent one is
that it cannot be proxied.
....
M.
:( so basically there's no working solution for proxying this kind of site.
The only workaround we have is to configure the clients to not proxy
this site and them configure my nat/firewall to let this GET go through,
but this solution avoids completely squid controls and push our team to
configure more than 400 stations.
Anyone has a better solution ?
Well, the real solution is to get the web host to use a _standard_
method of authentication. There is no standard detailing NTLM and it is
severely broken as you have discovered.
Even Microsoft admit that it should only be used on a corporate network
(i.e. not the Internet)!
You should suggest that they use basic auth over https or digest.
Sorry this isn't more positive but feel free to complain to Microsoft!
ATB,
Neil.
--
Neil Hillard hillardn@xxxxxxxxx
Westland Helicopters Ltd. http://www.whl.co.uk/
Disclaimer: This message does not necessarily reflect the
views of Westland Helicopters Ltd.
