On Wed, 3 Dec 2003, Josh Wyatt wrote:
> I know that NTLM authentication is not proxiable, per microsoft and per reading several threads on the subject. I'm
> wondering what other squid users do when you have users using it, but still need to deploy a transparent proxy.
Add exclusions to the interception for the NTLM sites the users need
access to, on a case by case basis.
> My situation is as follows. I'm using a cisco router doing wccp (works great!) redirection to a redhat 9 linux box
> running squid-2.5.STABLE1. Outlook Web Access of course fails through this setup.
Should at least fall back on Basic auth if you upgrade your Squid to
2.5.STABLE2 or later and the IIS server has "plain text" authentication
enabled. (2.5.STABLE2 and later automatically filters out NTLM
authentication from the server challenge, ensuring that the browser does
not select NTLM when it is known it won't work)
It should also work if the OWA administrator enables SSL support to secure
internet access and switches the users to use https:// instead of http://.
Accessing OWA using http:// over the Internet is not very wise from a
security point of view.
> I've tried the following:
> 1. Added 'extension_methods SEARCH SUBSCRIBE UNSUBSCRIBE POLL BCOPY BPROPPATCH' to the config as suggested in another,
> older (circa 2000) thread from this list (for 2.4 and earlier). No effect.
Should not be needed with Squid-2.5.
> 2. Added 'acl exchange urlpath_regex exchange' and 'always_direct allow exchange' to the config, to try and make all
> accesses to urls containing 'exchange' go direct. Squid logs the attempts as going direct, but it doesn't fix
> authentication.
As you note this won't help. The problems is at a protocol level due to MS
not reading the HTTP specifications.
Regards
Henrik
Received on Wed Dec 03 2003 - 16:21:09 MST
This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:05 MST