Search squid archive

Re: Re: Squid Auth question for machines not belonging to a AD domain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




"Henrik Nordstrom" <henrik@xxxxxxxxxxxxxxxxxxx> wrote in message news:1257278257.20561.5.camel@xxxxxxxxxxxxxxxxxxxxxxxx
tis 2009-11-03 klockan 19:44 +0000 skrev Markus Moeller:

But how would that work if the guest uses his own machine e.g. Kerberos (no ticket available) nor NTLM (no shared machine key available) can be used or
?  and ISA (or squid) sends Negotiate as the first auth option ?

NTLM works without shared machine key by manual entry of login+password
+domain when needed in the browser settion. Only the proxy needs a
machine key to verify the login (not verified by browser).


Sorry, but it isn't clear to me. So basically the proxy can not verify the password as the proxy will never have the machine key to verify the login ?

Negotiate also works as long as the client station can talk to the KDC
and request a ticket, on the same premises. Maybe the ticket is even
issued via the proxy in such case (not entirely sure).


Ok this might work. The client should in theory be able to ask for a kdc through SRV records and authenticate the user and get a TGS.

Neither NTLM or Negotiate strictly requires the user to be logged on to
the domain, it just won't be automatic if he is not.

Regards
Henrik






[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux