Re: [squid-users] connection-auth

From: Vernon A. Fort <vfort_at_provident-solutions.com>
Date: Tue, 08 Mar 2011 08:40:07 -0600

  On 3/7/2011 7:28 PM, Amos Jeffries wrote:
> On Mon, 07 Mar 2011 17:14:40 -0600, Vernon A. Fort wrote:
>
> What do you mean by "external groups"? people accessing from out on
> the Internet?
>
> NP: NTLM does not work reliably across the wide Internet due to its
> design as a LAN protocol. Kerberos is only slightly better over WAN.
>
>
> The key authentication difference between XP and Win7 is NTLM. In Win7
> it has been outright removed from some services (the Server ones) and
> downgraded in all others (client services) to require manual
> configuration turning back on.
> The recommended path is to add Kerberos alongside NTLM until you can
> turn off NTLM entirely. If you absolutely cant start the transition to
> Kerberos then doing that manual configuration of Windows Vista or
> later boxes is required to downgrade their security.
>
> Amos
>
Our setup is simple - just configure the proxy setting in the browser
and start browsing - no auth to squid itself. The site we are trying to
connect to is an internet based windows sharepoint server which requires
authentication:

Cannot connect using version(s) 3.1.[8,9] regardless of the
combination's with connection-auth and pipeline_prefetch. I have also
tried the registry hacks for win7 without success.

I downgraded to version 2.7.9 using the default squid.conf (no
adjustments whatsoever) and CAN successfully connect (authenticate) from
both win7 and xp using IE/Firefox/Chrome. I am by no means and expert
but have experienced greater difficulty using the 3.* versions when
connecting to windows based servers which require authentication. My
observations so far doing NOTHING to the windows boxes is:

Successful connections using version 2.7.9 - default squid.conf.
Unsuccessful connection using 3.1.7 or higher - regardless of the
connection-auth with or without registry hacks.

Vernon
Received on Tue Mar 08 2011 - 14:39:52 MST

This archive was generated by hypermail 2.2.0 : Tue Mar 08 2011 - 12:00:01 MST