Dean A. Welbourn wrote:
Hi Amos,
Many thanks for your reply. I have tried changing the config to connection-auth=on but i still get the username/password prompt and even if i enter correct creditials after three attempts the ISA proxy returns an access denied page.
Is there anything else i could be missing?
Many thanks,
Dean
----- Original Message -----
From: "Amos Jeffries" <squid3@xxxxxxxxxxxxx>
To: "Dean A. Welbourn" <welbournd@xxxxxxxxxxxxx>
Cc: "squid-users" <squid-users@xxxxxxxxxxxxxxx>
Sent: 14 January 2009 22:49:06 o'clock (GMT) Europe/London
Subject: Re: NTLM Passthru to ISA2006
Hi,
Sorry forgot to say that bit! Im running Squid 2.7 STABLE 5 on Windows
Server 2003 (this is my boss's prefered OS).
Thanks,
Dean
----- Original Message -----
From: "Amos Jeffries" <squid3@xxxxxxxxxxxxx>
To: "Dean A. Welbourn" <welbournd@xxxxxxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxx
Sent: 14 January 2009 20:21:08 o'clock (GMT) Europe/London
Subject: Re: NTLM Passthru to ISA2006
Hi,
Sorry for the delay ive been out of the office for a few days.
Currently i have the following (i dont have any auth_ settings enabled):
# Define source all
acl all src all
# Define Safe Ports
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
# Allow access to ALL
http_access allow all
# Define port to listen on
http_port 8080
# Define cache peer
cache_peer holly.selby.college parent 8080 7
proxy-only no-query no-digest login=PASS default
Many thanks,
Dean
----- Original Message -----
From: "Amos Jeffries" <squid3@xxxxxxxxxxxxx>
To: "Dean A. Welbourn" <welbournd@xxxxxxxxxxxxx>
Cc: "squid-users" <squid-users@xxxxxxxxxxxxxxx>
Sent: 11 January 2009 21:46:03 o'clock (GMT) Europe/London
Subject: Re: NTLM Passthru to ISA2006
Hi,
Im trying to implement a Squid proxy with a parent of ISA2006 using
integrated NTLM passthru. Should this be possible? I either get three
username/password prompts before i get an authorization required error
message from the ISA server or just a page can not be displayed error?
Any help would be greatly appreciated, this is for a college project.
Many thanks,
Dean Welbourn
What configuration do you have at present? particularly the auth_*,
cache_peer, acl, and http_access lines in the order they appear.
Amos
Ah right. Squid version?
This is only expected to work in Squid-2.6, 2.7, or 3.1.
I have an experiment going with another user at present. The results so
far lead me to believe that cache_peer with NTLM pass-thru can have either
login=PASS - to pass login to backend in Basic format.
or
connection-auth=on - to pass NTLM messages through.
but not both at the same time.
Combining appears to cause multiple-login boxes from the backend which may
not succeed even with correct credentials.
This is not fully confirmed yet, so take it with a very large portion of
doubt. But it may be worthwhile trying the other config.
Amos
I've cc'd you in on the OWA thread where this has had a bit more
permutation testing. Albeit under Squid-3.1.0.3.
It appears to be the same issue and a bug in Squids pass-thru handling.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
Current Beta Squid 3.1.0.3