Hi Bilal,
Regarding your second point about workgroups the answer is that Kerberos
can work too (with popup). But to make it work your DHCP server has to
privode WINS servers (or it has to be hardcoded on the client). When a
client gets the Negotiate request the client will try to find out where the
domain server is for that domain (using the username details e.g. @DOMAIN)
via Netbios name resolution using the configured WINS servers. Once they
are determined the client will send AS and TGS requests to the domain server
and can then authenticate to the proxy.
Regards
Markus
"GIGO ." <gigoz@xxxxxxx> wrote in message
news:SNT134-w4D0C3C636780C9186C4A2B9160@xxxxxxxxxx
If i select negotiate/Kerberos as authentication protocol for my Squid on
Linux and configure no FallBack Authentication.what would be the consequence
?
1. Isnt it that all of my users who have logged into Active Directory and
where browser is supported will be able to use squid?
2. Only those users who will try to use squid from a workgroup giving their
domain passoword (domainname/userid) will fail as there will be no fallback
aviablable.
3. Is there any other scenario in which these users will not be able to use
squid?
I would be really thankful if you guide me further as i am failing to
understand why a fallback authentication is necessary if it is. What could
be the scenario when windows clients have no valid TGT even if they are
login to the domain? I hope you can understand me and help me to clear my
self.
regards,
Bilal Aslam
----------------------------------------
To: squid-users@xxxxxxxxxxxxxxx
From: huaraz@xxxxxxxxxxxxxxxx
Date: Wed, 7 Apr 2010 20:17:20 +0100
Subject: Re: Re: Re: SSO with Active Directory-Squid Clients
Sorry I knew that but forgot to mention that I was talking about the Unix
version.
Thank you
Markus
"Guido Serassio" wrote in message
news:58FD293CE494AF419A59EF7E597FA4E64002FA@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi Markus,
If you have a Windows client and the proxy send WWW-Proxy-Authorize:
Negotiate the Windows client will try first to get a Kerberos ticket
and
if that succeeds sends a Negotiate response with a Kerberos token to
the
proxy.
If the Windows client fails to get a Kerberos ticket the client will
send
a Negotiate response with a NTLM token to the proxy. Unfortunately
there> is yet no squid helper which can handle both a
Negotiate/Kerberos response
and a Negotiate/NTLM response (although maybe the samba ntlm helper
can).> So there is a fallback when you use Negotiate, but it has some
caveats.
This is not true when Squid is running on Windows: the Windows native
Negotiate Helper can handle both Negotiate/Kerberos and Negotiate/NTLM
responses.
Regards
Guido Serassio
Acme Consulting S.r.l.
Microsoft Gold Certified Partner
VMware Professional Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@xxxxxxxxxxxxxxxxx
WWW: http://www.acmeconsulting.it
_________________________________________________________________
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
