On 30/06/2012 11:36 p.m., Navas wrote:
Hi, I have setup squid authentication with Kerberos to the 2003 Active Directory. I could test it successfully to all browsers but failed in IE6. So I used following squid.conf to get NTLM auth for IE6 # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # #auth_param negotiate program /usr/sbin/squid_kerb_auth -d auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=SYSNET.LOCAL --kerberos /usr/sbin/squid_kerb_auth -d -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive on ### pure ntlm authentication auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=SYSNET.LOCAL auth_param ntlm children 10 auth_param ntlm keep_alive off acl auth proxy_auth REQUIRED But the question is it need separate configuration as in ### pure ntlm authentication for specifically for NTLM? Is it never work with first entries only which supposed to be worked with both NTLM and Kerberos ?
Yes it needs to be a seprate configuration for IE6 and older software which only supports "pure" NTLM.
The newer software will know that NTLM can be reponded using Negotiate/NTLM. But then you would not have had problems with negotiate to start with if they were doing that properly.
Amos
