Search squid archive

Re: NTLM authentication login popups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tuan Nguyen wrote:
Thanks Kinkie but I'm still getting the popup window (tried with both
IE and FF). The client machine is joined to a domain. Basically I'm
trying to force an Access Denied page on this client instead of the
popup. The wiki does suggest an "all hack" but it's not working for
me:

http://wiki.squid-cache.org/Features/Authentication#How_do_I_prevent_Login_Popups.3F


You had it inverted. Kinkies' suggestion got you halfway there.

This:
  acl ntlmauth proxy_auth REQUIRED
  http_access allow ntlmauth all
  http_access deny all

Will permit successfully pre-authed users and send back "Access Denied" to the rest.

However there is a critical flaw with NTLM which may bite you here...
* NTLM *requires* a 407 challenge to be sent back with a token used in sending the followup credentials. * the "all" hack prevents the 407 header containing that token being sent. (It's presence is the trigger for the browser to potentially do the popup). Understanding those two facts, its highy likely that browsers will never send acceptable NTLM tokens.

NTLM without the initial challenges is equivalent to Kerberos. So if you want this to be reliably working you had best look at the upgrade to that auth protocol.

One other thing to be aware of; The browser is the software what decides whether a popup occurs, and will only do so if it has no credentials or the ones it already tried have failed.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.6
  Beta testers wanted for 3.2.0.1


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux