On 17/12/2015 5:35 a.m., Eugene M. Zheganin wrote: > Hi. > > Is there a way to limit the number of available authentication > mechanisms (for a client browser) basing on certain squid IP which this > browser connects to, like, using http_port configuration directive ? For > example this is needed when one need to allow the non-domain machines to > pass through authentication/authorization checks using squid with > full-fledged AD integraion (or Kerberos/NTLM, anyway), otherwise they > are unable to do it. Once they were, for example using Chrome < 41, but > since >41 Chrome has removed all the options to exclude certain > authentication methods from it's CLI sequence (I still wander what a > genious proposed this). Theoretically the client browser is fully aware of what credentials it can use for what schemes (Kerberos, Basic, NTLM, Digest [in that orer of security]). And also for remembering which credentials worked or failed on previosu attempts with the offered schemes. So there is no need to filter them at the proxy. *it* is perfectly able to authenticate any credentials it gets given using any of the schemes it is offering. You just happen to not like the outcome when validation prevents login. > > If not(and I believe there isn't) could this message be treated as a > feature request ? It has been a feature request for years to allow ACL control of auth schemes offered. I even have a design plan laid out for implemeting it. But nobody seems to want it enough to sponsor the addition (if you do please contact me directly to discuss). I am specifically waiting for sponsorship on this one because it needs someone with an actual use-case and implementation to test that it works properly with Negotiate and NTLM. Otherwise please open a feature request bug to track the status and get notification when somebody does get around to adding it. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
