Hello Amos and thank you in advance for your kind interest! I am the squid proxy administrator and in 2.6 or 3.1 connection pinning is enabled, but those iis+ntlm website are not authenticated yet! Have i to apply some particular configuration in my squid.conf? Thank you again, Francesco 2010/7/24 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > Francesco Collini wrote: >> >> Hello, >> >> i am experiencing problem with some remote websites that use IIS and >> ntlm windows authentication. >> The problems persist with 2.6 and 3.1 version, too. >> >> I tried to add: http_port 3128 connection-auth=on but no results. >> >> Is there a solution? > > * NTLM websites assume that every piece of HTTP browser and proxy software > supports Microsoft proprietary protocols and connection pinning. > > * You are assuming that your proxy is the only proxy in the chain. > > Neither if those are likely to be true. > > NTLM websites can work locally on a LAN where all software has a chance of > being controlled with the requirement of supporting NTLM. Over the general > Internet it's a non-starter. > > Using HTTPS instead of HTTP *almost* guarantees the end-to-end connection > NTLM requires. I say almost because middle-proxies are now also decrypting > HTTPS and proxying it in some places. > > The solution is to get the website to use a method of authentication which > works outside walled-garden LANs. Digest auth designed specifically for high > security over HTTP is available. Basic auth is the 'normal' low-security > method. > > The alternative is to find every proxy in the middle between you and those > sites, and get their admin to turn on connection pinning just for you. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.5 >
