On Tue, 22 Nov 2011 15:34:53 +0100, Emmanuel Lacour wrote:
I enabled kerberos auth on an AD domain with a fallback to ldap basic auth. It seems that if someone use the proxy from another lan in another AD domain on which I have no control, the basic auth is not used. Is this understandable? Any way to work around this?
Yes this is common. The client application is in complete control over which authentication methods it uses. All Squid does is offer a set of possibilities.
Also, Basic auth is sent to the client with a realm= parameter stating which domain/realm it Squid supports that method from. NTLM and Kerberos were built around SSO principles, in which a client only has one set of credentials which are globally accepted or not. The validating process (Squid) needs access to the DC (AD server) for that users credentials.
Marcus has updated the Kerberos wiki pages with a great overview of how both of those work.
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos Amos