|
Hi all i have setup Kerberos authentication with Windows 2019 domain using Squid 5.1 ( The Squid version did not fix the issue - Tested 4.x and 5.x) In some cases, some computers are not joined to the domain and ween need to allow authenticate on Squid To allow this, Basic Authentication is defined in Squid and we expect that browsers prompt a login to be authenticated and access to Internet But the behavior is strange. On a computer outside the windows domain: Firefox is be able to be successfully authenticated to squid using basic auth. Edge, Chrome and IE still try ujsing NTLM method and are allways rejected with a 407 When edge, chrome and IE try to establish a session, Squid claim 2021/09/21 01:17:27 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }} This let us understanding that these 3 browsers try NTLM instead of a Basic Authentication. I did not know why these browsers using NTLM as they did not connected to the Windows domain Why squid never get the Basic Authentication credentials. ? Did i miss something ? Here it is my configuration. auth_param negotiate program /lib/squid3/negotiate_kerberos_auth -r -s GSS_C_NO_NAME -k /etc/squid3/PROXY.keytab auth_param negotiate children 20 startup=5 idle=1 concurrency=0 queue-size=80 on-persistent-overload=ERR auth_param negotiate keep_alive on auth_param basic program /lib/squid3/basic_ldap_auth -v -R -b "DC=articatech,DC=int" -D "administrator@xxxxxxxxxxxxxx" -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -v 3 -h 192.168.90.10 auth_param basic children 3 auth_param basic realm Active Directory articatech.int auth_param basic credentialsttl 7200 seconds authenticate_ttl 3600 seconds authenticate_ip_ttl 1 seconds authenticate_cache_garbage_interval 3600 seconds acl AUTHENTICATED proxy_auth REQUIRED |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
