cc'ing David W. who appears to have the same issue on 2.7 with similar
but different pass-thru code.
Alan Lehman wrote:
Yes. Multiple authentication methods, triggered from multiple sources,
going via multiple paths can be confusing.
Squid auth_param elided, which leaves:
"A user name and password are being requested by ..."
== basic challenge by ISA.
"Enter user name and password for ..."
== integrated/NTLM challenge by ISA.
I'm now thinking we have two distinct configurations for Squid:
Basic Auth (only) passed back
cache_peer ... login=PASS connection-auth=off
NTLM Auth (only) passed back:
cache_peer ... connection-auth=on
Which appear to be non-compatible auth methods at present.
What happens if you re-enable the connection-auth on https_port and
remove the login=PASS from cache_peer?
Amos
OWA is back to the previous double login with Firefox. Activesync PDA
won't accept login.
Oh dear. Well if its not working individually or combined, I'm stumped.
At least we have one method that works for Alan. (Dean it turned out to
be turning connection-auth=off on the port).
But having to turn it off is not good. I've opened a bug report to track
this. http://www.squid-cache.org/bugs/show_bug.cgi?id=2572
Is there any possibility of getting a full trace of the headers to/from
Squid from both the Client and the Server facing links when NTLM is
being attempted?
If so that would be useful info for the bug, so someone with a bit more
knowledge and time than me can track down what needs to be fixed.
Along with:
* build configuration options (squid -v output)
* full (comment free) configuration settings
* cache.log trace at level ALL,9 for the request duration.
PS. If either of you has the inclination to wade through that data and
guess at what the problem is it would be a great help too.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
Current Beta Squid 3.1.0.3
