On 2/21/07, Adrian Chadd <adrian@xxxxxxxxxxxxxxx> wrote:
On Tue, Feb 20, 2007, Chris Nighswonger wrote: > Hi All, > I am sure that this must be a common issue with proxys and NTLM. > (yuk..) My users run a variety of apps which desire to access the > internet. Many of them do not play well with NTLM auth. I have been in > the practice of simply using squid ACLs to permit access to these apps > without authentication based on their destination domain. I am > wondering what ways others have used to address this issue and would > like to hear them. Or perhaps this is the best way. Which version of Squid are you using? Squid-2.6 improves on this quite a lot.
2.6.STABLE9 Some of these apps have in their proxy settings the option to enter username/password. However, it looks as if they are passing these credentials off *basic* auth style. Below are my auth_param settings for both ntlm and basic. It seems that I have seen somewhere in this list a post which showed using the squid 'ntlmssp' helper as the 'basic program' setting. Perhaps this is what I need to do so that when the app passes basic auth credentials they are checked against the DC? auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 17 auth_param ntlm keep_alive on auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd auth_param basic children 2 auth_param basic realm Campus Proxy Server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off This issue is especially acute with anti-virus client updates. Thanks for the assistance. Chris