[squid-users] NTLM problem with squid 2.7 on Windows Server 2008 for IE8 clients

From: Sailor Ripley <junk_at_clix.pt>
Date: Fri, 06 Aug 2010 19:20:06 +0100

Hello,

I've been having trouble configuring squid with NTLM to replace an ISA
Server. The configuration is:

    * squid version 2.7.STABLE7 (downloaded from
      http://squid.acmeconsulting.it/)
    * windows 2008 server
    * on the client side: Internet Explorer 8

The problem is that IE8 always prompts for the password unless it is
configured with the servers in the Trusted Zone and Automatic Logon with
current user/password (no tests done with other browsers).

Users were able to access sites through the previous proxy server (ISA
Server) which was using "Integrated Authentication" without having to
provide any credentials. Without any change on Internet Explorer
configuration, once squid is in use, users are prompted for credentials.
Are there any requirements for Internet Explorer configuration to work
with squid's NTLM?

Squid configuration is:

    auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe* *
    auth_param ntlm children 5

    acl all src all
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32

    acl ntlm proxy_auth REQUIRED

    http_access allow ntlm

    http_access deny all

    icp_access deny all

    http_port 8080

    cache_peer proxytd parent 8080 0 no-query no-digest
    login=PASS connection-auth=on

    redirect_program C:\\squid\\squidGuard\\squidGuard.exe -c
    C:\\squid\\squidGuard\\conf\\squidGuard.conf
    acl ss dstdomain ss
    always_direct allow ss
    never_direct deny ss
    no_cache deny ss

    hierarchy_stoplist cgi-bin ?

    acl to_av dstdomain avserver
    header_access Pragma deny to_av

    refresh_pattern -i avserver 10080 20% 999999 ignore-no-cache
    reload-into-ims

    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern . 0 20% 4320

    range_offset_limit -1
    maximum_object_size 200 MB
    quick_abort_min -1

    acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
    upgrade_http0.9 deny shoutcast
    visible_hostname localhost

    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache

    never_direct allow all

I don't know much about NTLM or ISA so I hope the question isn't stupid...

Thanks in advance,
Sailor
Received on Fri Aug 06 2010 - 18:20:13 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 07 2010 - 12:00:02 MDT