On 22/02/2013 5:06 a.m., Francesco wrote:
hello, i am trying Squid kerberos authentication instead of NTLM authentication due to resolve compatibility issue with latest version of windows. Only two things if i can: 1) in squid.conf, i have to specify windows user with the first capital letter. Ex: user = User@DOMAIN. If i specify user@DOMAIN i have no authentication to surf
Case sensitivity has nothing to do with Squid. The user details are part of the encrypted data transferred directly between your client software and your authentication system. When users login the authentication system informs Squid what username just logged in - Squid uses that label exactly as received.
2) squid/access.log, in some page, i see a DENIED request and then a TCP_MISS with the same page. It seems the browser try to access to a page and it is not authenticated by the proxy server. Then the client retries and can reach the page. Is it normal?
Yes. This is how authentication works in general. Client connects, server requests credentials, client repeats with credentials and gets whetever response is appropriate for that.
If you were using Basic authentication it allows user credentials to be sent by the browser on brand new requests so that the server challenge part does not happen. If you were using persistent connections in HTTP that allows a pipeline of multiple requests to be sent on one connection with the same credentials, reducing the connection count and thus the time auth handshake has to occur. ... either one of these may have been happening previously such that you would see some or most requests "just working" instead of every single one being prefixed by a DENIED/407 handshake.
Amos
