"Henrik Nordstrom" <henrik@xxxxxxxxxxxxxxxxxxx> wrote in message
news:1257212761.2980.2.camel@xxxxxxxxxxxxxxxxxxxxxxxx
mån 2009-11-02 klockan 23:42 +1300 skrev Amos Jeffries:
IME, I think sending the correct realm or domain in the NTLM or
Negotiate auth headers may prevent clients attempting auth with a known
mechanism if they are not part of the domain.
If Microsoft had thought about using the required realm parameter in
their NTLM and Negotiate over HTTP schemes maybe, but as it is now those
two "smells like HTTP auth but is not" authentication schemes do not
support realms and will probably never do.
I tested with Firefox and IE 8 and it looks like that when squid returns a
list like Negotiate Digest Firefox will try Negotiate with NTLM and when
this fails tries Digest and stays with Digest when successful. IE 8 just
tries Negotiate with NTLM. So IE 8 will never be able to authenticate non
domain machines or is there a way to verify a NTLM password from a
standalone machine ?
Does anybody know how MS intends to deal with this (e.g. guests in a company
network) in a MS only environment with ISA proxy ?
Thank you
Markus
Regards
Henrik
