At 15.03 22/11/2003, Henrik Nordstrom wrote:
On Sat, 22 Nov 2003, Serassio Guido wrote:
> With IE 6 SP1, when browsing a ftp:// url, IE always pop-ups for > authentication when trying to download internal ftp icons from Squid. > But changing the IE default security settings for Internet Zone from "User > Authentication->Logon->Prompt for user name and password" to "User > Authentication->Logon->Automatic logon with current username and password" > seems to avoid the problem.
Ok. Makes sense.
What I think happens here is that your browser is going direct for the icons rather than using the proxy (same port, different concept). Then the authentication is technically to another server even if it happens to have the same ip:port as the proxy.
The problem is something different:
IE uses "Security Zones": by default in the Intranet Zone the automatic NTLM authentication is enabled while in the Internet Zone is disabled.
IE 5.01 identify correctly that the proxy is in the Intranet Zone (I can see the 407/200 sequence in access.log) and authenticate automatically using ntlm for internal Squid objects.
IE 6 SP1 simply doesn't understand that the proxy is in the Intranet Zone, and use the Internet Zone rules, (I can see 407 only) asking for Authentication for internal squid objects.
You should only see this popup once per session (or until the login expires from IE)
This happens for every object .....
> acl internal_icons urlpath_regex [-i] \/squid-internal-static/icons/$ > acl test proxy_auth REQUIRED > > http_access allow internal_icons > http_access allow test > http_access deny all
This is generally to recommend in any authentication setups, assuming you have first limited access on source IP. Try using basic authentication only and you will see why..
> I think that in squid this anomalous browser behaviour is not handled > correctly, causing the wrong NTLM challenge reuse.
It is not an anomalous browser behaviour if my assumption above is correct. Nor should it be related to the issue with challenge reuses even if reuses are disabled..
Yes, but with IE 5.01 there are no problems as with Mozilla in ntlm mode, so in IE 6 SP1 there is something of anomalous.
Regards
Guido
- ======================================================== Guido Serassio Acme Consulting S.r.l. Via Gorizia, 69 10136 - Torino - ITALY Tel. : +39.011.3249426 Fax. : +39.011.3293665 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
