Re: [squid-users] External Authentication Error

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 06 Sep 2011 23:21:29 +1200

On 31/08/11 03:04, Josh Phillips wrote:
> I have squid setup to authenticate with my Active Directory. On my
> internal network it works and even does single sign-on. Externally,
> it prompts for user name and password (which is what I wanted
> really...), but no matter if I use a correct or incorrect login it
> rejects the login, keeps prompting and eventually says Cache Access
> Denied. I am guessing that it is saying Cache Access Denied because
> when you are on an external network you logged in with a cached
> version of your AD account, but why is it rejecting the
> authentication attempt through squid?
>

<snip>
>
>
> Is it because on an external network the computer can't actively
> authenticate against the AD that squid is just rejecting the login?

No. It is because the 'L' in NTLM means "LAN".

  NTLM assumes that connections are stateful and dedicated to one client
machine or user. Where HTTP is stateless and services like Squid
multiplex requests into connections which open and close after any request.

> If so, any suggestions on other external authentication methods (I
> don't want to do a simple user/pass setup)[This is a company
> environment]? If not, any ideas on why it is not accepting login on
> an external network, and how can I fix it?
>

Negotiate/Kerberos should work better. The multiple-request handshake is
removed from that version. It still requires pinning support and
persistence end-to-end across the Internet to work well and securely.
But at least it does not require them just to accept the request.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.15
   Beta testers wanted for 3.2.0.11
Received on Tue Sep 06 2011 - 11:21:38 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 06 2011 - 12:00:02 MDT