On 14 January 2012 07:44, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 14/01/2012 4:41 a.m., Javier Conti wrote: >> >> Hi list, >> >> I'm trying to setup access to several internal websites that use >> Integrated Windows Authentication in a Windows XP/7/2008 >> environment through Squid 3.1.12. I successfully setup Squid >> to authenticate users using Kerberos or NTLM. With Internet >> Explorer and Firefox, users successfully authenticate to squid >> and get access to all websites (those without Integrated >> Windows Authentication actually work fine). >> >> However, all websites using Integrated Windows Authentication >> respond with a 401.1 Access Denied error, as it seems the >> request reaches the web server without information about the >> user's credential. Accessing those websites directly, works fine. >> >> I still don't fully understand how Integrated Windows Authentication >> really works, but is anyone successfully using it through a proxy? >> Any hints or links to documentation on how it should work in detail? >> >> Thanks, Javier > > > NTLM does not work over the Internet due to the way it requires breaking > HTTP protocol. Not many admin are happy breaking overall network performance > to cater for MS product design. > > Kerberos is updated to fix several of the major problems NTLM had in the > handshake portion. As a result of that change it shodul in theory work over > the Internet more often. It still requires persistent connections for > anything like good performance and still depends on the "pinning" hack to > break HTTP multiplexing and emulate a end-to-end TCP connection. > > So the asnwer is "yes, it works successfuly through Squid." but that does > not cover whether it works through any of your hardware, firewalls, IDS > systems, NAT systems your upstream providers, their providers, the sites > provider etc. There is a LOT of hardware and software involved. Any one of > which could break the requirements Windows LAN auth systems depend on. > > The authentication protocols which were designed to work as part of the HTTP > protocol operate just fine when sent over the Internet. As you saw. Hi Amos, thanks for your reply. I now have the impression that even if I manage to make it work, it would not be as reliable as it should be, and in case I'd face problems in the future, troubleshooting would be a nightmare. That considered, I think investing more time in this is probably worthless. Thanks for the clarification, Javier > > Amos
