Hi Tom
It should work if squid sends Negotiate and NTLM authentication requests to
the client. IE6 will ignore the Negotiate request and reply to NTLM, whereas
IE7 and IE8 will respond to Negotiate. With NTLM you will get a username
like Netbios-Domain\user in contrast to user@Kerberos-Realm. squid_kerb_ldap
can deal with this through the -N option e.g. -N
Netbios-Domain@Kerberos-Realm and if you have two domains use -N
Netbios-Domain@Kerberos-Realm:Netbios-Domain2@Kerberos-Realm2.
Regards
Markus
"Tom Tux" <tomtux80@xxxxxxxxx> wrote in message
news:AANLkTinrNhqPuwS0h21XYBrqTuRde7dK9ebHKXG9zkm5@xxxxxxxxxxxxxxxxx
Hi
I'm searching a way to authenticate IE6-clients with ntlm based on
group-membership and all other clients (IE7, IE8) with kerberos (also
group-membership-based).
I'm able to authenticate with kerberos AND group-membership
(squid_kerb_ldap), but the IE6-clients will then prompt for the
squid_kerb_ldap-authentication. If I leave the squid_kerb_ldap-helper
away, then all users are able to authenticate without checking the
group-membership.
How can I achieve to have a proper single-sign-on
kerberos-authentication (with squid_kerb_ldap) and a
fallback-ntlm-authentication for the IE6-browser (also with checking
group-membership) without prompting for username/password?
Thank you.
Regards
Tom
