On 17/12/2015 5:34 a.m., Fabio Bucci wrote: > i'm planning to migrate to kerberos instead NTLM.....i got a question for > you Amos: sometimes a client reports issue in navigation and searching into > log file i cannot see "username" and all the request are 407 > > In these cases is there a way to reset a user session or it's a completely > client issue? Usually it is the client stuck in a loop trying Negtiate/NTLM auth for some reason. Some old Firefox, most Safari, and older IE can all get stuck trying those credentials and ignoring the offers of Basic. It might be possible to figure out some LmCompatibility settings change that makes the problem just go away (eg, forcing NTLM of all versions to disabled on the client). Other than that Squid does have some workaround responses it can be made to send back that might help the client reach the right conclusion: a) list Basic auth first in the config. Any properly working client will re-sort the auth types by security level and do theKerberos anyway. But the broken ones (particularly IE7 and older) will have more chance of using Basic. b) sending 407 response with no auth headers. Such as a deny 407 status generated by external ACL deny, or a URL-redirector. These tell the client that auth failed, but there is no acceptible fallback. c) sending Connection:close. Sometimes (mostly Firefox v20-v40) it is the client prematurely attaching the credentials to the connection and re-using them. That is supposed to have been fixed recently, but I've not confirmed. d) sending 403 status response. To just flat-out block the client once it enters the looping state. Hoping that later requests will start to work again. HTH Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
