lör 2006-06-24 klockan 20:51 -0700 skrev Merton Campbell Crockett: > In this instance, Squid received an HTTP/1.1 response from the IIS > 6.x server with a status of 401. Included in the HTTP response > header were the following fields. > > WWW-Authenticate: Negotiate > WWW-Authenticate: NTLM > > Squid returned an HTTP/1.0 response to the IE client. The above were > not included in the HTTP response header. As the WWW-Authentic is > required in both HTTP/1.0 and HTTP/1.1 specifications, Squid is > returning an invalid response header. It I understand your response > correctly, this is intentional. Correct, as returning the above two HTTP-violating headers makes more damage than good. (well, the headers as such is not HTTP violations, but their implementations of the NTLM, Negotiate and Kerberos schemes ontop of HTTP is) This filter was added to prevent major security issues from relaying these non-HTTP authentication methods via a RFC compliant HTTP proxy such as Squid. At about the same time Microsoft added their own filters to MSIE ignoring these headers when using a proxy for the exact same reasons, and published a document on how proxies can announce to MSIE that the proxy does support the deviations from the HTTP protocol required to support these authentication schemes. This extension to HTTP is supported in Squid-2.6 and later. Regards Henrik
Attachment:
signature.asc
Description: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel
