On Wed, 3 Dec 2003, Josh Wyatt wrote:
I know that NTLM authentication is not proxiable, per microsoft and per reading several threads on the subject. I'm wondering what other squid users do when you have users using it, but still need to deploy a transparent proxy.
Add exclusions to the interception for the NTLM sites the users need access to, on a case by case basis.
This would be done on the router? Or could I add rules to the squid server to drop connections from/to those hosts, and let wccp do the rest...?
My situation is as follows. I'm using a cisco router doing wccp (works great!) redirection to a redhat 9 linux box running squid-2.5.STABLE1. Outlook Web Access of course fails through this setup.
Should at least fall back on Basic auth if you upgrade your Squid to
2.5.STABLE2 or later and the IIS server has "plain text" authentication
enabled. (2.5.STABLE2 and later automatically filters out NTLM
authentication from the server challenge, ensuring that the browser does not select NTLM when it is known it won't work)
Hrm, a big if. However, it seems worth a try.
It should also work if the OWA administrator enables SSL support to secure internet access and switches the users to use https:// instead of http://. Accessing OWA using http:// over the Internet is not very wise from a security point of view.
Another big if. So insecure, yet so many users insist on this "easy" technology. Unfortunately I do not have access to the NT admins running those servers.
I've tried the following:
1. Added 'extension_methods SEARCH SUBSCRIBE UNSUBSCRIBE POLL BCOPY BPROPPATCH' to the config as suggested in another, older (circa 2000) thread from this list (for 2.4 and earlier). No effect.
Should not be needed with Squid-2.5.
2. Added 'acl exchange urlpath_regex exchange' and 'always_direct allow exchange' to the config, to try and make all accesses to urls containing 'exchange' go direct. Squid logs the attempts as going direct, but it doesn't fix authentication.
As you note this won't help. The problems is at a protocol level due to MS not reading the HTTP specifications.
MS... not adhering to specs... imagine that. When will they learn? Better question, when will the USERS learn to demand BETTER?
Regards Henrik
Cheers, and thanks for the response, Josh
