Hi Bilal,
When you use Negotiate you can not control if the client uses
Negotiate/Kerberos or Negotiate/NTLM. You have to use pure NTLM as the auth
option to guarantee NTLM.
Regards
Markus
"GIGO ." <gigoz@xxxxxxx> wrote in message
news:SNT134-w53ECC1ACC0C9B74476D649B9170@xxxxxxxxxx
Hi All,
In our environment currently we are using ISA server with userbased
authentication. we are using windows 2003 Active Directory and almost all of
the users are using Windows based OS. We want to seemlessly migrate our
users to Squid.
I have not yet reached to any conlusion despite lot of studies/efforts/Squid
Support. I would like you people to guide me in detail please.
If Negotiate/kerberos has a limitation in squid that it has only one
fallback scheme and that is Basic/Ldap. Then isnt it a safe option to use
netgotiate/NTLM if all users belonged to Microsoft Active Directory only?
As every logged-in domain user will always possess a valid NTLM token even
if it dont have a valid kerberos token. So this scheme will not require any
Fallback authentication mechanism to be defined.I would probably be needing
to enumerate Active directory users through some mechanism(which i am not
sure about at this moment) to get this scheme working. Am i right? please
guide in detail.
Another thing which is confusing is that if alike kerberos NTLM token(and
hence users credentials) will automatically passed to squid and user never
requires a need to explicitly give password. Am i right?
What will happen if the user is not logged into the domain but on a
workstation that is part of workgroup. I assume that in that case a password
popup screen will appear and user will give his/her credentials in
domainname/user format and that will work?
regards,
Bilal Aslam
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969