On Tue, 8 Nov 2011 07:41:57 -0800 (PST), franzo318 wrote:
hi guys,
installation: squidnt 2.7-8 on Win2008R2(domainmember srv)
clients: win7/other 2008R2 Server
configuration: with user authentication ->
auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
result: proxy ist not able to authenticate the client request because
it can
not handle the default win7/2008 R2 security setting "LAN
Manager-Authenticaton-level"
it would only work, if this setting would be changed from default to
"ntlm
only" -> but this change would result in an securityhole!!!
the same problem occurs while using the negotiate scheme and
auth_param negotiate program
c:/squid/libexec/mswin_negotiate_auth.exe
my fazit:
user authentication with squidnt 2.7 in an 2008r2/win7 environment,
is not
possible without security impact.
Um, "SquidNT 2.7" was a copyright infringing trojan built from Squid
sources. I hope you mean the Acme packaged build of "Squid 2.7" for
Windows. "SquidNT" also being the internal alpha code name which was
dropped when the Windows support was merged to the stable releases of
Squid.
is this right? or can anbody provide an workaround to the described
problem?
Since the Win2008 default is Kerberos authentication (AKA
negoiate/Kerberos) rather than NTLM the use of mswin_ntlm_auth.exe is
itself a/the security hole in a manner of speaking.
mswin_negotiate_auth.exe uses the Windows native APIs to do Kerberos,
so should work. But 2.7 is a bit old and there may be some small API
updates needed since it was released. You may want to contact Guido at
Acme for support.
HTH
Amos
