Re: [squid-users] NTLM authentica​tion to external sites using Windows 7

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 19 Nov 2011 03:32:33 +1300

On 19/11/2011 2:03 a.m., Øyvind Haddal wrote:
> I am in the process of evaluating and testing a Squid configuration in
> my environment, I have everything working the way I want except for
> one thing; NTLM authentication with Windows 7 clients to a site in
> another domain
>
> Squid proxy is configured with multiple Bluecoat proxy servers as
> parents, which handles all the user authentication using LDAP.
> However, I also have a requirement that users sometimes log on a site
> located in a different domain, using personal Windows credentials for
> that domain. This works without any problem with Windows XP clients,
> but Windows 7 clients just keep getting the login prompt and are
> unable to log in.
>
> I've configured the GPO for NTLMv1 on my domain, as suggested by other
> threads, but this did not make any difference. All other threads I
> have found are for issues where you want to use NTLM for Squid
> authentication, which is not what I am trying to do.

Avoid NTLMv1. XP and later all support NTLMv2 and there is no
difference between NTLM versions to Squid.

The squid config you show is not doing anything except passing
credentials untouched to the peers.

> Hoping someone can assist or at least point me in the right direction
> to solve this.

Grab a copy of the HTTP headers in the request and replies to that
website. Likely it is offering Negotiate support and the Windows 7
machines are trying to use it.

Alternatively it could actually be requiring any one of a number of
obsolete Microsoft protocols or encryption methods which all get called
"NTLM" and have been dropped from Windows 7.

Amos
Received on Fri Nov 18 2011 - 14:32:43 MST

This archive was generated by hypermail 2.2.0 : Sat Nov 19 2011 - 12:00:03 MST