On 14/01/2012 4:41 a.m., Javier Conti wrote:
Hi list, I'm trying to setup access to several internal websites that use Integrated Windows Authentication in a Windows XP/7/2008 environment through Squid 3.1.12. I successfully setup Squid to authenticate users using Kerberos or NTLM. With Internet Explorer and Firefox, users successfully authenticate to squid and get access to all websites (those without Integrated Windows Authentication actually work fine). However, all websites using Integrated Windows Authentication respond with a 401.1 Access Denied error, as it seems the request reaches the web server without information about the user's credential. Accessing those websites directly, works fine. I still don't fully understand how Integrated Windows Authentication really works, but is anyone successfully using it through a proxy? Any hints or links to documentation on how it should work in detail? Thanks, Javier
NTLM does not work over the Internet due to the way it requires breaking HTTP protocol. Not many admin are happy breaking overall network performance to cater for MS product design.
Kerberos is updated to fix several of the major problems NTLM had in the handshake portion. As a result of that change it shodul in theory work over the Internet more often. It still requires persistent connections for anything like good performance and still depends on the "pinning" hack to break HTTP multiplexing and emulate a end-to-end TCP connection.
So the asnwer is "yes, it works successfuly through Squid." but that does not cover whether it works through any of your hardware, firewalls, IDS systems, NAT systems your upstream providers, their providers, the sites provider etc. There is a LOT of hardware and software involved. Any one of which could break the requirements Windows LAN auth systems depend on.
The authentication protocols which were designed to work as part of the HTTP protocol operate just fine when sent over the Internet. As you saw.
Amos
