AW: [squid-users] force basic NTLM-auth for certain clients/urls

thanxs for that hint - it worked as a fix

i have addes this to my squid.conf

acl javaNtlmFix browser -i java
header_access Proxy-Authenticate deny javaNtlmFix
header_replace Proxy-Authenticate Basic realm="Internet Access"

now any java-client (java web start, java or applets in browser) will only see the basic auth scheme.
a username/password dialog pops up and i have to enter my credentials.

any other client (firefox, ie) still se both NTLM and Basic scheme and use NTLM challenge response to authenticate...

the little drawback is, that there is that little nasty dialog but connection via proxy is working...

thanxs

markus

>-----Ursprüngliche Nachricht-----
>Von: Chris Robertson [mailto:crobertson@gci.net]
>Gesendet: Samstag, 13. Oktober 2007 02:10
>An: squid-users@squid-cache.org
>Betreff: Re: [squid-users] force basic NTLM-auth for certain
>clients/urls
>
>Markus.Rietzler@rzf.fin-nrw.de wrote:
>> we are running squid 2.6stable16 with ntlm auth. we use winbind to
>> support challenge response auth so that there is no user
>interaction or
>> password dialog popup.
>>
>> is it possible to force basic auth - so that no ntlm-auth is used or
>> tried before - for certain clients (eg acl javavm browser
>java) or urls?
>>
>> proxy-auth uses settings from auth_param but you can't define which
>> auth-schema being used, right?
>>
>
>Right.
>
>>
>> markus
>>
>
>Perhaps it would be possible to use "header_access Proxy-Authenticate
>deny java" and "header_replace" in a creative fashion to not tell the
>java browser that NTLM is an authentication option. Given sufficient
>free time, it would certainly be fun to tinker at...
>
>http://www.squid-cache.org/Versions/v2/2.6/cfgman/header_access.html
>http://www.squid-cache.org/Versions/v2/2.6/cfgman/header_replace.html
>
>Chris
>
Received on Tue Oct 16 2007 - 10:17:43 MDT