On Monday 08 September 2003 10.28, Serassio Guido wrote: > The helper currently don't allow the reuse of a challenge with a > sort of two state architecture:
A challenge should only be reused if using synthetic challenges and the current client disconnects before sending the authenticate packet. When not using synthetic challenges the situation gets messier as then the challenge packet depends on the negotiate packet and it becomes almost impossible to reuse the challenge safely. Any other reuses of a challenge (i.e. two or more KK for the same TT) is bending the NTLMSSP protocol and is very likely to fail with any decent NTLMSSP implementation. Stupid NTLMSSP implementations such as our old helpers may accept multiple KK for the same challenge, but you can't rely on this for real NTLMSSP implemenations as the NTLMSSP does not expect a second AUTHENTICATE packet. Now, I am not entirely sure how Windows NTLMSSP acts on failed authentication, i.e. if it directly returns a new challenge or if an error is returned. > if a KK is got with an already used challenge, a BH is generated. Good. It should. > It seems that in Squid there is a problem: > I'm using auth_param ntlm max_challenge_reuses 0, but sometimes I > get a KK without a YR, the helper sends a BH to squid and Internet > Explorer pop-ups for authentication. Anything in cache.log? I think there is code to force challenge reuse if running low on helpers.. Regards Henrik
