Hello, Ok so I know exactly why squid can't forward ntlm credentials and stop at type1. It's facing the double hop issue, ntlm credentials can be sent only on one hop, and is lost with 2 hops like : client -> squid (hop1) -> IIS6 rpx proxy (hop2) -> exchange 2007 That's why when I connect directly to my iis6 rpc proxy that works and when I connect through squid that request login/pass again and again. And we can clearly see that on https analyzes. ISA server has a workaround about this double hop issue as I have wrote in my last mail, I don't know if squid can act like this. I'm searching atm how to set iis6 perhaps to resolve this problem, but I don't want to "break" my exchange so I've to do my tests very carefully Regards Clem -----Message d'origine----- De : Clem [mailto:clemfree@xxxxxxx] Envoyé : lundi 12 mars 2012 13:20 À : squid-users@xxxxxxxxxxxxxxx Objet : TR: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm Progressing in my ntlm/rpcohttps researches The only reverse proxy that can forward ntlm authentication on outlook anywhere with ntlm auth is ISA, and in this article it describes what parameters you must set for this working : http://blogs.pointbridge.com/Blogs/enger_erik/Pages/Post.aspx?_ID=17 The main parameters are : . accept all users And . No delegation but client may authenticate directly So the proxy acts "directly" and send credential as if it was the client. I think squid has to act exactly like ISA to make ntlm auth to work, dunno if it's possible as ISA is a windows proxy server and surely more confortable with compatibility. Regards Clem -----Message d'origine----- De : Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Envoyé : jeudi 8 mars 2012 14:29 À : Clem Objet : Re: TR: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm On 9/03/2012 2:08 a.m., Clem wrote: > Ok Amos so we go back to same issues, as I said you I have tested all I > could with the latest 3.2 beta versions before. > > So I'm going back to the type-1 ntlm message issue (see my last messages > with this subject) > > And my last question was : > >> I think the link SQUID -> IIS6 RPC PROXY is represented by the >> cache_peer line on my squid.conf, and I don't know if >> client_persistent_connections > and >> server_persistent_connections parameters affect cache_peer too ? It does. Amos
