On Mon, Sep 25, 2006, Rolf wrote: > Firstly is it true that NTLM auth is a bit more secure as it avoids > passing the credentials in the clear over the wire? Yes. > Secondly is the design of NTLM - having the squid box "joined" to the > AD domain - intended to remove the need to send a proxy auth request > to the browser, instead using the AD data? No. The "joining the AD" is so Squid can issue (and cache) authentication requests to the AD without having to do anything tricky like speak LDAP. Some people have reported success talking to an AD setup using LDAP, bypassing the need for the Squid server to be "joined" to the AD. Squid still sends authentication requests to the browser and forwards those requests off to the LDAP server. > What I wish to do is preserve the dialog box presentation in the > browser to show the Realm string and request user/pass as happens now > using Basic Auth, but use NTLM instead. That works fine. In my example I can login using DOMAIN+username via basic authentication for the few web apps that don't speak NTLM authentication. Adrian
