Hanks Henrik That it is! I did not realiza of stateful requirent of digest auth. We change a little archiecture of squid and then work. F5 is now using somekind of configuration to have a active-pasive schema. Regards, LD On Wednesday 02 July 2008 06:06:34 Henrik Nordstrom wrote: > On tis, 2008-07-01 at 20:25 -0500, Luis Daniel Lucio Quiroz wrote: > > 1214974554.906 0 99.90.40.253 TCP_DENIED/407 3249 GET > > http://www.presidencia.gob.mx/imgs/edomayor_over.gif a2 NONE/- text/html > > > > if we use percistance, it works, but we can stop using of sharing > > usernames. Balancig schema is like this: > > > > user -> balancer f5 -> squid1 > > \->squid2 > > > > Squid is configured with LDAP-digest auth. > > digest auth needs persistent sessions to work best. Without session it > will perform quite badly with many repeated 407 exchanges. > > The reason to this is that digest authentication is stateful, with the > server verifying that the client responds to a challenge sent by that > server. This is part of the replay protection agains authenticated > session theft and by design in the digest authentication scheme. Each > time the client gets connected to a new proxy server the server issued > challenge needs to be renewed. > > basic authentication works well with "dumb" TCP load balancing, as it's > completely stateless. > > NTLM/Negotiate also works with "dumb" TCP load balancing, as it's very > stateful but at the TCP connection level, not at the HTTP message > level.. > > Regards > Henrik
