Hi. On 23.07.2013 07:50, Brendan Kearney wrote: > > your "home machine", is it part of the domain that the work proxies are > authenticating against? You would never be able to retrieve a kerberos > ticket from the domain to use for authentication to the proxies if your > home machine is not part of the domain. as for ntlm, you should be able > to use the proxies if they force auth and support ntlm. you may need to > configure your browser to use integrated windows authentication. IE vs > Firefox have different configs that have to be setup for each to work > with proxies that force authentication. > > you may need to turn integrated windows authentication off too, in the > case where you are not part of the domain. otherwise the user "bob" > with a password of "blah" in the workgroup "kitchen PC" will be > presenting his creds to the proxies and will never be allowed to browse. > > from the errors, it seems that no ticket is presented by your client. i > dont see anything about ntlm. you may have fallen into the "valid > failure" scenario, where the proxy and browser both support and agree to > NEGOTIATE / Kerberos auth, but your client cannot supply valid > credentials (in the form of a kerberos ticket), and therefore you are > not authenticated and not allowed to surf. you do not fall through to > the next auth type supported because the agreed upon auth method > returned an appropriate failure. > > to get past that, and use an alternate auth method, such as ntlm, you > need to configure your browser to not use kerberos auth. again, IE and > Firefox will do be different in how you configure that. > So, about this problem. Does anyone have a working method of authorizing Windows browsers on such a proxy ? I can easily install another, just for machines that aren't joined domain, but I kinda dislike this solution. Okkam's razor, you know this stuff. Furthermore, I'm upgrading my old 3.2 squids to 3.3, and I like the way 3.3 is working, except this thing. I tried to play with FF's options,. but didn't succeed - squid keeps rejecting the authentication. I have basic auth also running, and, if Escape is pressed on a NTLM/SPNEGO popup, a basic auth popup appears, but FF for some reason still tried to authenticate using NTLM/SPNEGO. Thanks. Eugene.
