Markus Moeller wrote:
Does anybody know how a Windows client determines the right
authentication mechanism ? I have a case where most clients are on a
Windows domain and squid_kerb_auth works fine. Now I have clients from
visitors which have never been on the domain. Can I send to these
clients a list of authentication mechanisms (e.g. Negotiate Digest
Basic) ? If so would the client choose always Negotiate with NTLM ?
Thank you
Markus
IIRC it's first-known mechanism from the list of headers received in
line-order.
Depends on the windows API or library the app is built against as to
what is supported. The old API only does Basic or NTLM, the newer IE or
.NET based libraries (I'm ot sure which) seem to do Negotiate as well. I
suspect from the talk of deprecating NTLM that there is probably a new
API in Vista++ which does or will do only Basic + Negotiate.
Digest may fit in there too somehow.
IME, I think sending the correct realm or domain in the NTLM or
Negotiate auth headers may prevent clients attempting auth with a known
mechanism if they are not part of the domain.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
Current Beta Squid 3.1.0.14
