On Tue, 22 Nov 2011 15:34:53 +0100, Emmanuel Lacour wrote:
I enabled kerberos auth on an AD domain with a fallback to ldap basic
auth.
It seems that if someone use the proxy from another lan in another AD
domain on which I have no control, the basic auth is not used.
Is this understandable? Any way to work around this?
Yes this is common. The client application is in complete control over
which authentication methods it uses. All Squid does is offer a set of
possibilities.
Also, Basic auth is sent to the client with a realm= parameter stating
which domain/realm it Squid supports that method from. NTLM and Kerberos
were built around SSO principles, in which a client only has one set of
credentials which are globally accepted or not. The validating process
(Squid) needs access to the DC (AD server) for that users credentials.
Marcus has updated the Kerberos wiki pages with a great overview of how
both of those work.
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
Amos
