On 23/02/2012 7:00 p.m., Jiang Wen Dong wrote: > Website in local LAN. > > Forward mode, not reverse mode. > > auth_param ntlm keep_alive on auth_param is proxy-auth headers in forward-proxy mode. You need client_persistent_connections and server_persistent_connections ON. For keep-alive. These should be on by default in 3.1+, so the thing to check is whether you disabled those. > NTLM doesn’t work, neither Kerberos. Very strange. As I said www-auth headers just get passed straight through the proxy to the www server. Amos > > ------------------------------------------------ > Jiang Wendong (姜文栋) > IT Dept. > Tel: 010-5822-3486/3481 > Mobile: 13811249966 > E-Mail: wendong.jiang@xxxxxxxxxxx / jiangwendong@xxxxxxxxxx > > > > -----邮件原件----- > 发件人: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] > 发送时间: 2012年2月23日 12:34 > 收件人: squid-users@xxxxxxxxxxxxxxx > 主题: Re: Can't access IIS website with Integrated Windows Authentication, why? > > On 22/02/2012 5:30 p.m., Jiang Wen Dong wrote: >> I have 2 IIS website with Integrated Windows Authentication. >> >> Users access internet and these 2 websites by squid. >> Access internet is ok, but can’t access these 2 websites. >> >> I have tied v3.1 and v3.2 with default config, but the problem still there. >> >> It seems squid cut off www-auth information. >> >> Anybody can help me with this? > Is squid operating in forward or reverse proxy mode? > * forward proxy never touch www-auth headers > * reverse proxy are where the auth is destined to be tested. Squid will attempt to validate them using your configured auth_param. > NP: login using NTLM credentials to a backend is not supported. (what often appears to be a "relay" is actually Squid logging into the backend itself). > > Is the website on the local LAN or out on the Internet? > * NTLM requires end-to-end connectivity. Many Internet links do not provide those guarantees since proxy gateways and NAT were invented. > > Do you have persistent connections enabled or disabled? > * NTLM requires them. > > > Amos > > CAUTION: This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, distribution or reproduction of this message is prohibited. If you have received this message in error please notify the sender of this message immediately. ( (c)TD Tech Co.,Ltd) > 重要提示:此邮件及附件具保密性质,包含商业秘密、受法律保护不得泄露。如果您意外收到此邮件,特此提醒您此邮件的机密性,请立即通知我们并从您的系统中删除此邮件及附件。如果您不是此邮件应当的收件人,请注意不可对此邮件及其附件进行利用、复制或向他人透露其内容。 ( (c)TD Tech Co.,Ltd)