On 3/7/2011 7:28 PM, Amos Jeffries wrote:
On Mon, 07 Mar 2011 17:14:40 -0600, Vernon A. Fort wrote:
What do you mean by "external groups"? people accessing from out on
the Internet?
NP: NTLM does not work reliably across the wide Internet due to its
design as a LAN protocol. Kerberos is only slightly better over WAN.
The key authentication difference between XP and Win7 is NTLM. In Win7
it has been outright removed from some services (the Server ones) and
downgraded in all others (client services) to require manual
configuration turning back on.
The recommended path is to add Kerberos alongside NTLM until you can
turn off NTLM entirely. If you absolutely cant start the transition to
Kerberos then doing that manual configuration of Windows Vista or
later boxes is required to downgrade their security.
Amos
Our setup is simple - just configure the proxy setting in the browser
and start browsing - no auth to squid itself. The site we are trying to
connect to is an internet based windows sharepoint server which requires
authentication:
Cannot connect using version(s) 3.1.[8,9] regardless of the
combination's with connection-auth and pipeline_prefetch. I have also
tried the registry hacks for win7 without success.
I downgraded to version 2.7.9 using the default squid.conf (no
adjustments whatsoever) and CAN successfully connect (authenticate) from
both win7 and xp using IE/Firefox/Chrome. I am by no means and expert
but have experienced greater difficulty using the 3.* versions when
connecting to windows based servers which require authentication. My
observations so far doing NOTHING to the windows boxes is:
Successful connections using version 2.7.9 - default squid.conf.
Unsuccessful connection using 3.1.7 or higher - regardless of the
connection-auth with or without registry hacks.
Vernon
