On 25/05/2012 7:50 a.m., Ruiyuan Jiang wrote:
> Hi, Clem
>
> I am reading your post
>
> http://www.squid-cache.org/mail-archive/squid-users/201203/0454.html
>
> In the post, someone stated that NTLM auth does not support:
>
> It's facing the double hop issue, ntlm credentials can be sent only on one hop, and is lost with 2 hops like : client -> squid (hop1) IIS6 rpx proxy (hop2) -> exchange 2007
>
> That is not true. Here we have the setup:
>
> Client -> Apache (hop1) -> IIS 7 -> exchange 2007
>
> It works the setup and just I could not have the latest Apache. Otherwise I will continue to use Apache reverse proxy. The latest Apache does not support MS RPC over http which is posted on the internet.
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=40029
>
> I am not sure why squid does not support NTLM auth to the backend exchange server.
Squid does supports relaying any type of www-auth headers to the backend
over multiple hops. What Squid does not support is logging *itself* into
a peer proxy with NTLM (using proxy-auth headers).
There are also various minor but annoying bugs in NTLM pinning support
and persistent connections handling in some Squid releases, with those
basically the newer the Squid release the better but its still not 100%
clean.
I am noting a LOT of complaints in the areas of Squid->IIS and
sharepoint, and a few other MS products this year. But nobody has yet
been able to supply a patch for anything (I dont have MS products or
time to work on this stuff myself). There is a hint that it is related
to Squid-3.1 persistent connection keep-alive to the server, if that
helps anyone.
Amos
Received on Sun May 27 2012 - 10:10:19 MDT
This archive was generated by hypermail 2.2.0 : Tue May 29 2012 - 12:00:05 MDT