On 31/08/11 03:04, Josh Phillips wrote:
I have squid setup to authenticate with my Active Directory. On my
internal network it works and even does single sign-on. Externally,
it prompts for user name and password (which is what I wanted
really...), but no matter if I use a correct or incorrect login it
rejects the login, keeps prompting and eventually says Cache Access
Denied. I am guessing that it is saying Cache Access Denied because
when you are on an external network you logged in with a cached
version of your AD account, but why is it rejecting the
authentication attempt through squid?
<snip>
Is it because on an external network the computer can't actively
authenticate against the AD that squid is just rejecting the login?
No. It is because the 'L' in NTLM means "LAN".
NTLM assumes that connections are stateful and dedicated to one client
machine or user. Where HTTP is stateless and services like Squid
multiplex requests into connections which open and close after any request.
If so, any suggestions on other external authentication methods (I
don't want to do a simple user/pass setup)[This is a company
environment]? If not, any ideas on why it is not accepting login on
an external network, and how can I fix it?
Negotiate/Kerberos should work better. The multiple-request handshake is
removed from that version. It still requires pinning support and
persistence end-to-end across the Internet to work well and securely.
But at least it does not require them just to accept the request.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.15
Beta testers wanted for 3.2.0.11
