RE: Problem with NT Authentication

                     TAYLOR JOYNSON GARRETT
Carmelite 50 Victoria Embankment Blackfriars London EC4Y 0DX
Telephone +44 (0) 171 353 1234 Facsimile +44 (0) 171 936 2666
                  World Wide Web: www.tjg.co.uk

This e-mail is confidential and may be privileged. It may be read,
copied and used only by the addressee. If you have received it in
            error, please contact us immediately.
----------------------------------------------------------------------------
You can reconfigure IIS to allow plain text authentication against the
Domain userlist. However, as NTLM is proprietry, undocumented and broken,
I'd prefer not to let my users anywhere near it anyway :)
 
As a sidepoint, if IE is configured (in)correctly, it will cheerfully send
your user/domain name and password hash to any server that requests it. IIS
uses this feature to 'auto-authenticate' clients. Nice hey?
 
Mart.

-----Original Message-----
From: Leonardo Rodrigues [mailto:coelho@persogo.com.br]
Sent: 22 December 1999 11:27
To: squid-users@ircache.net
Cc: rstein@persogo.com.br
Subject: Problem with NT Authentication

        People, I'm having some problems acessing some webpages with squid.
It seems that the page is hosted on a Windows NT, anonymous access is
denied, and the IIS is waiting encrypted passwords ( NTLM scheme, not plain
text ). Of course squid can't do NTLM, and nobody is getting throw that
page.

        Look what I get with Lynx configured to use squid:

Looking up secret.address.com.br first.
Looking up 10.32.8.117:8080. <- this is Squid
Making HTTP connection to 10.32.8.117:8080.
Sending HTTP request.
HTTP request sent; waiting for response.
Alert!: Invalid header 'WWW-Authenticate: NTLM'
Can't Access ` <http://secret.address.com.br/> http://secret.address.com.br
<http://secret.address.com.br/> /'
Alert!: Unable to access document.

        On Netscape and IE, the error is:

HTTP Error 401

401.2 Unauthorized: Logon Failed due to server configuration

This error indicates that the credentials passed to the server do not match
the credentials required to log on to the server. This is
usually caused by not sending the proper WWW-Authenticate header field.

Please contact the Web server's administrator to verify that you have
permission to access to requested resource.

        
        If I turn off Squid, Netscape and IE gives me a username and
password window, which is OK. Without Squid, I can access the page normally.

        I tried to use some ACLs ( src - ip address and dstdomain ) with
always_direct to allow my users to get throw that page without getting throw
Squid, but it doesn't work.

        Any ideas ? Any clues ? Any tips ? Anything ?
Received on Wed Dec 22 1999 - 04:21:00 MST