On 15.03.2012 00:51, Игорь Потапов wrote:
I've found failing component. It’s external_acl_type with the %LOGIN
parameter. It starts some kind of authentification if it thinks user
is not authenticated. And that procedure force IE on XP to open login
window. I think theat procedure is different one than in
squid_kerb_auth' ACL.
How can I help to determine root cause if this issue?
To use authenticated details to check authorization one must first have
authenticated them successfully.
proxy_auth is a simple: test authenticated yes/no. It requires
credentials to be (1) known; at the point and time when the ACL is
tested.
external ACL with %LOGIN is a more complex: test authenticate AND test
authorized yes/no. %LOGIN requires user credentials to be (1) known, (2)
valid, (3) current; at the point and time when the external ACL is
tested.
If they are not meeting all three criteria, Squid will attempt to fetch
some which do meet the criteria.
We have had some troubles in the past (until very recently) with
external ACL identifying the current+valid parts of the criteria wrong.
As far as I know these are fixed now in 3.1.19. But you are of course
welcome to investigate and see if we missed some case that is affecting
IE8.
Amos
-----Original Message-----
From: Игорь Потапов
Hi.
squid is 3.1.19 on FreeBSD 8.2 with MIT kerberos. squid_kerb_auth is
in use as the only
auth scheme. Have some external acl to check authorization in mysql
db. On machines
running XP SP2 with IE8 (enabled Windows Intergrated Auth) sometimes
authentication
windows popup. I think this is happening if some request is denied
by external auth
script. If I hit Cancel page loads further. On Windows 7 see no such
behavior.
Config is here http://pastebin.com/QyCiha8Q Here is external auth
script
http://pastebin.com/LiAmniSz I think IE8 on XP sometimes doesn't
send Authorization and
asks for it. Or falls back to NTLM. I've made some workarounds to
disable login windows
but on XP they appear.
Can I force IE8 on XP to use only negotiate/Kerberos?
