Abdessamad BARAKAT wrote:
Hi people,
Nobody for give me a feedback about this feature ( ntlm auth pass
through) ?
You know as much about this as most here. It don't work.
I'm no expert myself but I suspect the reason goes something like this:
(wild guess)
NTLM is a sub-band authentication in background channels directly
between the server and client. Now client thinks the reverse-proxy IS
the server so is happy to authenticate with it. Squid is possibly able
to pass the login details back to exchange, which required NTLM with the
client. Client goes, hang on a minute I wasn't talking to you, and kills
the auth. Squid does not have the client-stored secret information to
setup a fake NTLM sequence to exchange on behalf of the username/pass it
knows.
As I said, I'm no expert, but it seems to me that is likely what the
issue is. If I'm wrong can someone please indicate why such an old and
popular item as NTLM re-auth has not been implemented in _any_ version
of Squid yet?
Amos
Thanks
Le 14 juil. 08 à 12:39, Abdessamad BARAKAT a écrit :
Hi,
I need to reverse proxied a OWA 2007 service and I have some problems
with NTLM authentication and the RPC connection. Squid offers a SSL
service and connect himself to the OWA with a SSL connection
The NTLM authentication was made bu the OWA so I need squid to pass
the credentials without modified them.
Actually I get only 401 error code but when I switch the
authentication to "Basic authentication" on the Outlook anywhere's
settings, It's working. I want really to have the NTLM authentication
working for don't ask all users to change their settings.
The squid is chrooted.
I have tried the following versions:
- 3.0 STABLE7
- 2.7STABLE3
- 2.6STABLE21
- 2.6STABLE3
My setup (sometime I need to add acl all or logfile_daemon beetween
versions, that's all) :
#### CHROOT
chroot /usr/local/squid
mime_table /etc/mime.conf
icon_directory /share/icons
error_directory /share/errors/English
unlinkd_program /libexec/unlinkd
cache_dir ufs /var/cache 100 16 256
cache_store_log /var/logs/store.log
access_log /var/logs/access.log squid
pid_filename /var/logs/squid.pid
logfile_daemon /libexec/logfile-daemon
####
# Define the required extension methods
extension_methods RPC_IN_DATA RPC_OUT_DATA
# Publish the RPCoHTTP service via SSL
https_port 192.168.1.122:8443
cert=/etc/apache2/ssl/webmail.corporate.com.p
em defaultsite=webmail.corporate.com
cache_peer 172.16.18.13 parent 443 0 no-query originserver login=PASS
ssl sslfl
ags=DONT_VERIFY_PEER name=exchangeServer
acl all src 0.0.0.0/0.0.0.0
acl EXCH dstdomain .corporate.com
cache_peer_access exchangeServer allow EXCH
cache_peer_access exchangeServer deny all
never_direct allow EXCH
# Lock down access to just the Exchange Server!
http_access allow EXCH
http_access deny all
miss_access allow EXCH
miss_access deny all
#no local caching
#maximum_object_size 0 KB
#minimum_object_size 0 KB
#no_cache deny all
#access_log /usr/local/squid/var/logs/access.log squid
Thanks a lot for any tips or informations .
!DSPAM:487b2e138671238159409!
--
Please use Squid 2.7.STABLE3 or 3.0.STABLE7
