[squid-users] Active Directory and user agents - complete ISA replacement

From: George Machitidze <giomac_at_gmail.com>
Date: Thu, 12 Jan 2012 12:37:31 +0400

Hello

I am able to authenticate user agents via "Negotiate" with following:

auth_param negotiate program /usr/lib64/squid/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on

I've configured binding with mskutil and with IE, Mozilla, some other
apps everything works fine - there is no username/password popup, it's
transparent.

Before I did it with winbind, but was getting password popup windows.

When I try to use Opera browser I am getting ugly message after
entering credentials:

authenticateNegotiateHandleReply: Error validating user via Negotiate.
Error returned 'BH received type 1 NTLM token'

I've checked communication between proxy and browser via Wireshark and
I see that Opera is negotiating with NTLMSSP, with string "Negotiate"
with OS revision version (testing with Windows 7 clients).

My goal is to replace ISA with Group+pass AD authentication with Squid
and have transparent proxying on IE and with other clients with popup
windows :)

Is there any "universal", well tested configuration/manual that will
make all clients work?

If there is a need in a research - I can join.

Squid versions available: 2.7.x, 3.1.16, 3.2.0.14, custom-compiled RPM
OS: RHEL5

Thanks

Best regards,
George Machitidze
Received on Thu Jan 12 2012 - 08:37:58 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 12 2012 - 12:00:02 MST