(copy for the list.) It's out of my knowledge zone now, so is someone with SSO working able to assist? On Tue, 23 Feb 2010 16:41:35 -0800 (PST), Michael Mansour <micoots@xxxxxxxxx> wrote: > Hi Amos, > > --- On Tue, 23/2/10, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > >> From: Amos Jeffries <squid3@xxxxxxxxxxxxx> >> Subject: Re: Is there a way to stop the Auth Window pop-up >> in the Web browser? >> To: squid-users@xxxxxxxxxxxxxxx >> Received: Tuesday, 23 February, 2010, 7:24 PM >> Michael Mansour wrote: >> > Hi, >> > >> > I have Squid authenticating AD domain accounts (via >> it's LDAP helper) >> > to an AD backend, if the user is part of an allowed >> "Internet Users" >> > group they get internet access, if they don't >> authenticate or aren't >> > part of the "Internet Users" group they don't get >> internet access. >> > >> > What I'm after is a way to get rid of the "pop up" >> authentication >> > Window when the browser starts and uses the Squid >> proxy server. >> > >> > The Windows workstations that access Squid are all >> part of an AD >> > domain and the users that login to those workstations >> login with >> > their valid AD accounts. >> > >> > I've tested various solutions from Web searches for >> NTLM pass-thru, >> > where for example, Firefox has "about:config" and ntlm >> settings you >> > can set in there, and for IE adding URL's to the >> Intranet zone, but >> > they don't work. I keep having Squid prompt for a >> username and >> > password. >> >> Are the browsers using NTLM or Kerberos? it makes a >> difference if Squid is only configured for one. > > I'm relatively new to this. The Squid server is currently in test so I'm > able to change things on a whim. > > When I was in the Firefox browser testing this, I only made changes to the > NTLM config settings. With IE it only seemed to be a change to the local > intranet zone. > > On the Linux server, I'm only running Squid with the Squid LDAP helper, am > not running Samba or winbind. I have read some material which says to get > Kerberos working you need to have Samba and winbind working? > > At the moment the Squid setup works fine, it queries the Windows AD > correctly for users and groups they belong to and allows/disallows access > to various websites depending on the regex used. > > The last stage now is to just get rid of the pop-uop Window asking for > user credentials. I'm trying to pass those from the browser to Squid. If I > have to work on configuring some sort of Samba/winbind setup for kerberos > auth I will try that, just need some direction on how to move forward with > this. At the moment I'm unsure and the project has stalled because of it. > >> You have a bit of a problem if you want to stop the startup >> popup. It >> usually only occurs when the browser has no working login >> credentials to pass the proxy. >> >> You can stop Squid from requesting login details from the >> browser, but >> if the browser does not know to send them you are in an >> even worse mess >> then. > > Yes I understand that. I'm not trying to avoid passing user credentials, > Squid needs to know these to determine where the users can go on the > internet, I'm just trying to have the browser pass those "Windows logon" > credentials to Squid so Squid can use those credentials for the defined > ACL's. > > Any help/advice anyone can give here is appreciated. Thank you. > > Michael. > >> Amos >> -- Please be using >> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24 >> Current Beta Squid 3.1.0.16 >>
