Chemolli Francesco (USI) wrote:
> It is a problem which is related to Internet Explorer and NTLM.
> NTLM authentication handshake implies at least 3 HTTP requests, the first 2
> getting 407's. Only at the third request Squid gets to know the user's
> credentials. If the check fails, without KINKIE_407_HACK, squid will 403.
> The problem is that the damned Explorer, upon getting a 403, will NOT
> pop up a window and ask for alternate credentials, it will just display the
> error page. If the user reloaded the page, it would happen again and
> the user would never be allowed to enter alternate credentials.
> With Robert's help, we hacked on client_side.c so that it returned 407's
> upon failed auth, so that users may get the popup window.
Not sure I follow. What is "failed auth" and why is there a 403 and how
is this related to NTLM? (403 SHOULD NOT cause a login request, so I do
not see an error in IE there).
If a user is denied access due to a proxy_auth ACL the browser SHOULD
receive a 407 reply, no matter what state the authentication process is
in.
If a user is denied access due to to a more complex http_access line
he/she may receive a 403 reply or a 407 reply depending on how the
http_access line reads.
acl auth proxy_auth ...
acl somesite dstdomain ...
http_access deny auth somesite
[403]
http_access deny somesite auth
[407]
http_access deny !auth somesite
[403]
http_access deny somesite !auth
[407]
-- HenrikReceived on Thu Jul 05 2001 - 07:50:38 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:05 MST