RE: Challenge in NTLM authenticator

From: Robert Collins <robert.collins@dont-contact.us>
Date: Mon, 22 Apr 2002 18:28:16 +1000

> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> Sent: Monday, April 22, 2002 5:44 PM
> To: Chemolli Francesco (USI); 'Guido Serassio'
> Cc: squid-dev@squid-cache.org
> Subject: Re: Challenge in NTLM authenticator
>
>
> On Monday 22 April 2002 08:47, Chemolli Francesco (USI) wrote:
>
> > Why would you want to do that?
> > Generating the challenge internally is one of the keys for
> performance
> > and reliability. The whole point in the winbindd helper is
> to be able
> > to do that...
>
> The situation is quite different when you are running on the NT
> server.

But squid may not be running on an NT Server. It will be running on an
NT platform sure, but that doesn't imply Server.
 
> The question here is more of:
> Should the Squid helper recode everything involved in making NTLM
> challenges, or should it use the official libraries provided by
> Microsoft for doing the same in the way officially supported by
> Microsoft?

 
> Using the SSPI is the documented way of doing NTLMSSP over the wire,
> and easily allows for full support of all the NTLMSSP options, levels
> etc without having to reverse-engineer all aspects of NTLMSSP.

It's targeted at folk writing *both* ends of the application. We need to
interoperate with MS I.E. and have no control over the client. So I'm
not at all convinced that the SSPI is appropriate for anytihng other
than challenge validation.

ROb
Received on Mon Apr 22 2002 - 02:28:19 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:15:17 MST