"Henrik Nordstrom" <henrik@xxxxxxxxxxxxxxxxxxx> wrote in message
news:1257278257.20561.5.camel@xxxxxxxxxxxxxxxxxxxxxxxx
tis 2009-11-03 klockan 19:44 +0000 skrev Markus Moeller:
But how would that work if the guest uses his own machine e.g. Kerberos
(no
ticket available) nor NTLM (no shared machine key available) can be used
or
? and ISA (or squid) sends Negotiate as the first auth option ?
NTLM works without shared machine key by manual entry of login+password
+domain when needed in the browser settion. Only the proxy needs a
machine key to verify the login (not verified by browser).
Sorry, but it isn't clear to me. So basically the proxy can not verify the
password as the proxy will never have the machine key to verify the login ?
Negotiate also works as long as the client station can talk to the KDC
and request a ticket, on the same premises. Maybe the ticket is even
issued via the proxy in such case (not entirely sure).
Ok this might work. The client should in theory be able to ask for a kdc
through SRV records and authenticate the user and get a TGS.
Neither NTLM or Negotiate strictly requires the user to be logged on to
the domain, it just won't be automatic if he is not.
Regards
Henrik