Re: [squid-users] Integrated Windows Authentication through Squid

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 17 Jan 2012 01:25:52 +1300

On 16/01/2012 9:34 p.m., Javier Conti wrote:
> On 14 January 2012 07:44, Amos Jeffries wrote:
>> On 14/01/2012 4:41 a.m., Javier Conti wrote:
>>> Hi list,
>>>
>>> I'm trying to setup access to several internal websites that use
>>> Integrated Windows Authentication in a Windows XP/7/2008
>>> environment through Squid 3.1.12. I successfully setup Squid
>>> to authenticate users using Kerberos or NTLM. With Internet
>>> Explorer and Firefox, users successfully authenticate to squid
>>> and get access to all websites (those without Integrated
>>> Windows Authentication actually work fine).
>>>
>>> However, all websites using Integrated Windows Authentication
>>> respond with a 401.1 Access Denied error, as it seems the
>>> request reaches the web server without information about the
>>> user's credential. Accessing those websites directly, works fine.
>>>
>>> I still don't fully understand how Integrated Windows Authentication
>>> really works, but is anyone successfully using it through a proxy?
>>> Any hints or links to documentation on how it should work in detail?
>>>
>>> Thanks, Javier
>>
>> NTLM does not work over the Internet due to the way it requires breaking
>> HTTP protocol. Not many admin are happy breaking overall network performance
>> to cater for MS product design.
>>
>> Kerberos is updated to fix several of the major problems NTLM had in the
>> handshake portion. As a result of that change it shodul in theory work over
>> the Internet more often. It still requires persistent connections for
>> anything like good performance and still depends on the "pinning" hack to
>> break HTTP multiplexing and emulate a end-to-end TCP connection.
>>
>> So the asnwer is "yes, it works successfuly through Squid." but that does
>> not cover whether it works through any of your hardware, firewalls, IDS
>> systems, NAT systems your upstream providers, their providers, the sites
>> provider etc. There is a LOT of hardware and software involved. Any one of
>> which could break the requirements Windows LAN auth systems depend on.
>>
>> The authentication protocols which were designed to work as part of the HTTP
>> protocol operate just fine when sent over the Internet. As you saw.
> Hi Amos, thanks for your reply. I now have the impression that even if I manage
> to make it work, it would not be as reliable as it should be, and in
> case I'd face
> problems in the future, troubleshooting would be a nightmare. That considered,
> I think investing more time in this is probably worthless.

Not worthless, sorry for giving that impression. I was aiming at giving
an idea of what is involved and could be investigated to find teh problem.
SSO can be useful in LAN where the systems can be controlled to make
sure they all support it. The trouble is usually just the initial
rollout if there has been nothing similar beforehand to weed out the
non-supporting infrastructure.

The recent Squid releases are designed to support NTLM etc as best they
can transparently as forward-proxy, so for LAN traffic it should work
"no problems" (famous last words). BUt as reverse-proxy can only accept
it to the proxy, not right through to the backend. Kerberos has far less
problems and is somewhat more flexible than NTLM once you get over the
small hurdle of learning the different admin tools.

HTH
Amos
Received on Mon Jan 16 2012 - 12:26:03 MST

This archive was generated by hypermail 2.2.0 : Mon Jan 16 2012 - 12:00:03 MST