Search squid archive

Re: Negotiate/NTLM Authentication a safer option then Negotiate/Kerberos??

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Bilal,

When you use Negotiate you can not control if the client uses Negotiate/Kerberos or Negotiate/NTLM. You have to use pure NTLM as the auth option to guarantee NTLM.

Regards
Markus

"GIGO ." <gigoz@xxxxxxx> wrote in message news:SNT134-w53ECC1ACC0C9B74476D649B9170@xxxxxxxxxx

Hi All,

In our environment currently we are using ISA server with userbased authentication. we are using windows 2003 Active Directory and almost all of the users are using Windows based OS. We want to seemlessly migrate our users to Squid. I have not yet reached to any conlusion despite lot of studies/efforts/Squid Support. I would like you people to guide me in detail please.

If Negotiate/kerberos has a limitation in squid that it has only one fallback scheme and that is Basic/Ldap. Then isnt it a safe option to use netgotiate/NTLM if all users belonged to Microsoft Active Directory only?




As every logged-in domain user will always possess a valid NTLM token even if it dont have a valid kerberos token. So this scheme will not require any Fallback authentication mechanism to be defined.I would probably be needing to enumerate Active directory users through some mechanism(which i am not sure about at this moment) to get this scheme working. Am i right? please guide in detail.



Another thing which is confusing is that if alike kerberos NTLM token(and hence users credentials) will automatically passed to squid and user never requires a need to explicitly give password. Am i right?



What will happen if the user is not logged into the domain but on a workstation that is part of workgroup. I assume that in that case a password popup screen will appear and user will give his/her credentials in domainname/user format and that will work?








regards,

Bilal Aslam
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux