On 16/01/2012 9:34 p.m., Javier Conti wrote:
On 14 January 2012 07:44, Amos Jeffries wrote:
On 14/01/2012 4:41 a.m., Javier Conti wrote:
Hi list,
I'm trying to setup access to several internal websites that use
Integrated Windows Authentication in a Windows XP/7/2008
environment through Squid 3.1.12. I successfully setup Squid
to authenticate users using Kerberos or NTLM. With Internet
Explorer and Firefox, users successfully authenticate to squid
and get access to all websites (those without Integrated
Windows Authentication actually work fine).
However, all websites using Integrated Windows Authentication
respond with a 401.1 Access Denied error, as it seems the
request reaches the web server without information about the
user's credential. Accessing those websites directly, works fine.
I still don't fully understand how Integrated Windows Authentication
really works, but is anyone successfully using it through a proxy?
Any hints or links to documentation on how it should work in detail?
Thanks, Javier
NTLM does not work over the Internet due to the way it requires breaking
HTTP protocol. Not many admin are happy breaking overall network performance
to cater for MS product design.
Kerberos is updated to fix several of the major problems NTLM had in the
handshake portion. As a result of that change it shodul in theory work over
the Internet more often. It still requires persistent connections for
anything like good performance and still depends on the "pinning" hack to
break HTTP multiplexing and emulate a end-to-end TCP connection.
So the asnwer is "yes, it works successfuly through Squid." but that does
not cover whether it works through any of your hardware, firewalls, IDS
systems, NAT systems your upstream providers, their providers, the sites
provider etc. There is a LOT of hardware and software involved. Any one of
which could break the requirements Windows LAN auth systems depend on.
The authentication protocols which were designed to work as part of the HTTP
protocol operate just fine when sent over the Internet. As you saw.
Hi Amos, thanks for your reply. I now have the impression that even if I manage
to make it work, it would not be as reliable as it should be, and in
case I'd face
problems in the future, troubleshooting would be a nightmare. That considered,
I think investing more time in this is probably worthless.
Not worthless, sorry for giving that impression. I was aiming at giving
an idea of what is involved and could be investigated to find teh problem.
SSO can be useful in LAN where the systems can be controlled to make
sure they all support it. The trouble is usually just the initial
rollout if there has been nothing similar beforehand to weed out the
non-supporting infrastructure.
The recent Squid releases are designed to support NTLM etc as best they
can transparently as forward-proxy, so for LAN traffic it should work
"no problems" (famous last words). BUt as reverse-proxy can only accept
it to the proxy, not right through to the backend. Kerberos has far less
problems and is somewhat more flexible than NTLM once you get over the
small hurdle of learning the different admin tools.
HTH
Amos
