Re: [squid-users] Re: squid 3.3.x and machines that aren't domain members

From: Eugene M. Zheganin <emz_at_norma.perm.ru>
Date: Wed, 11 Dec 2013 13:47:22 +0600

Hi.

On 23.07.2013 07:50, Brendan Kearney wrote:
>
> your "home machine", is it part of the domain that the work proxies are
> authenticating against? You would never be able to retrieve a kerberos
> ticket from the domain to use for authentication to the proxies if your
> home machine is not part of the domain. as for ntlm, you should be able
> to use the proxies if they force auth and support ntlm. you may need to
> configure your browser to use integrated windows authentication. IE vs
> Firefox have different configs that have to be setup for each to work
> with proxies that force authentication.
>
> you may need to turn integrated windows authentication off too, in the
> case where you are not part of the domain. otherwise the user "bob"
> with a password of "blah" in the workgroup "kitchen PC" will be
> presenting his creds to the proxies and will never be allowed to browse.
>
> from the errors, it seems that no ticket is presented by your client. i
> dont see anything about ntlm. you may have fallen into the "valid
> failure" scenario, where the proxy and browser both support and agree to
> NEGOTIATE / Kerberos auth, but your client cannot supply valid
> credentials (in the form of a kerberos ticket), and therefore you are
> not authenticated and not allowed to surf. you do not fall through to
> the next auth type supported because the agreed upon auth method
> returned an appropriate failure.
>
> to get past that, and use an alternate auth method, such as ntlm, you
> need to configure your browser to not use kerberos auth. again, IE and
> Firefox will do be different in how you configure that.
>
So, about this problem.

Does anyone have a working method of authorizing Windows browsers on
such a proxy ? I can easily install another, just for machines that
aren't joined domain, but I kinda dislike this solution. Okkam's razor,
you know this stuff. Furthermore, I'm upgrading my old 3.2 squids to
3.3, and I like the way 3.3 is working, except this thing.

I tried to play with FF's options,. but didn't succeed - squid keeps
rejecting the authentication. I have basic auth also running, and, if
Escape is pressed on a NTLM/SPNEGO popup, a basic auth popup appears,
but FF for some reason still tried to authenticate using NTLM/SPNEGO.

Thanks.
Eugene.
Received on Wed Dec 11 2013 - 07:47:34 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 11 2013 - 12:00:05 MST