FW: [squid-users] Squid, ISA and Sharepoint

From: Dwyer, Simon <sdwyer@dont-contact.us>
Date: Thu, 28 Feb 2008 13:03:21 +1100

Hi again,

I have got even more info on how this would like to be done.

They are talking about they might want to use Forms authentication for users
on the internet and from what I think I understand that is basicly just a
.net website so that should be too hard to get running :\

But in the end they would really like AD authentication without forms
because forms reports the username differently to sharepoint it seems.

If I was not to use NTLM but simple ldap calls to AD would this allow me to
authenticate on squid then send the credentials strait through to sharepoint
for it to be authenticated again there? From what I see the auth type needs
to be kept to the basic type to be able to pass through? Could someone
elaborate here for me?

Sorry for all the questions but I have spent a lot of time googling and cant
really get a definite answer.

Cheers,

Simon Dwyer

-----Original Message-----
From: Dwyer, Simon
Sent: Wednesday, 27 February 2008 11:26 AM
To: Dwyer, Simon
Subject: RE: [squid-users] Squid, ISA and Sharepoint

Hi all,

I have now been given a rundown on what the company wants to do with the
reverse proxy.

Basically they want to serve a sharepoint server via a reverse proxy that
will do authentication with AD, Forms authentication and Anon access
(guest).

They want to do authentication on the proxy and then have the proxy pass the
credentials through to sharepoint so they wont have to authenticate again.
They are saying ISA will do this fine (have not really looked into it).

They want to do the auth on the proxy so that the authentication happens
before the connection gets into the internal network.

Will this be possible with Squid, be it 2.6 or 3.0?

Cheers in advance.

Simon Dwyer
-----Original Message-----
From: Dwyer, Simon
Sent: Tuesday, 19 February 2008 8:28 AM
To: 'Kinkie'; Adrian Chadd
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] Squid, ISA and Sharepoint

This is the kind if information and insight I was after. Thanks for the
ideas guys :)

Simon.

-----Original Message-----
From: Kinkie [mailto:gkinkie@gmail.com]
Sent: Monday, 18 February 2008 5:38 PM
To: Adrian Chadd
Cc: Dwyer, Simon; squid-users@squid-cache.org
Subject: Re: [squid-users] Squid, ISA and Sharepoint

On Feb 18, 2008 7:37 AM, Adrian Chadd <adrian@creative.net.au> wrote:
> On Mon, Feb 18, 2008, Dwyer, Simon wrote:
>
> > I believe they want to authenticate twice but I do not really see the
point.
> > They will have to authenticate with the sharepoint no matter what
happens.
> >
> > Is it possible to get squid to authenticate a user using Active
Directory
> > while reverse proxying?
>
> I'm not sure if Squid can do NTLM authentication as an origin server.
> I know it can just pass through the requests and let the sharepoint server
> do authentication.
>
> Henrik? Robert? Kinkie?

It should work just fine, there's nothing in the code that I remember
preventing it. The only way to be sure is "just trying" :)

Authenticating in NTLM over the Internet however is, in my opinion,
pointless and even dangerous - even Microsoft recommends against it
(or at least used to).
It allows anyone on the Internet to mount a wide range of DOS attacks
against AD - I'm not talking about a performance DOS, what I'm
referring to is the possibility to lock one (or all) users out of
logging on their PC.

-- 
    /kinkie
Received on Wed Feb 27 2008 - 19:03:34 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:06 MST