> cc'ing David W. who appears to have the same issue on 2.7 with similar > but different pass-thru code. > > Alan Lehman wrote: > >> Yes. Multiple authentication methods, triggered from multiple > sources, > > > >> going via multiple paths can be confusing. > >> > >> Squid auth_param elided, which leaves: > >> > >> "A user name and password are being requested by ..." > >> == basic challenge by ISA. > >> > >> "Enter user name and password for ..." > >> == integrated/NTLM challenge by ISA. > >> > >> > >> I'm now thinking we have two distinct configurations for Squid: > >> > >> Basic Auth (only) passed back > >> cache_peer ... login=PASS connection-auth=off > >> > >> NTLM Auth (only) passed back: > >> cache_peer ... connection-auth=on > >> > >> > >> Which appear to be non-compatible auth methods at present. > >> What happens if you re-enable the connection-auth on https_port and > >> remove the login=PASS from cache_peer? > >> > >> Amos > >> > > > > OWA is back to the previous double login with Firefox. Activesync PDA > > won't accept login. > > Oh dear. Well if its not working individually or combined, I'm stumped. > At least we have one method that works for Alan. (Dean it turned out to > be turning connection-auth=off on the port). > > But having to turn it off is not good. I've opened a bug report to > track > this. http://www.squid-cache.org/bugs/show_bug.cgi?id=2572 > > Is there any possibility of getting a full trace of the headers to/from > Squid from both the Client and the Server facing links when NTLM is > being attempted? > If so that would be useful info for the bug, so someone with a bit more > knowledge and time than me can track down what needs to be fixed. > > Along with: > * build configuration options (squid -v output) > * full (comment free) configuration settings > * cache.log trace at level ALL,9 for the request duration. > > > PS. If either of you has the inclination to wade through that data and > guess at what the problem is it would be a great help too. > > Amos I'll try to run the traces you requested them and post them to bugzilla. I should clarify that with connection-auth=off I am still getting the basic authentication challenge. In all cases I am intending to authenticate against the upstream OWA server. Sorry I'm so slow getting back. Alan
