Re: [squid-users] ntlm and internet explorer

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 14 Sep 2010 01:44:27 +0000

On Mon, 13 Sep 2010 11:28:13 -0500, Terry <td3201_at_gmail.com> wrote:
> I have a working NTLM implementation in place and it works great from
> yum and wget for example. However, when I try to use squid from IE8,
> it prompts for password and I never see the credentials hit squid,
> just this for example:
> 1284395121.846 0 10.8.1.100 TCP_DENIED/407 1798 GET
> http://google.com/ - NONE/- text/html
>
> I have added google.com to IE's local intranet zone and gave that zone
> low priority so I am not sure where the problem lies. Here's my
> configuration:
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> --require-membership-of="DOM\\proxyusers"
> auth_param ntlm children 5
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> --require-membership-of="DOM\\proxyusers"
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 5 hours
>
> acl NTLMUsers proxy_auth REQUIRED
> http_access allow all NTLMUsers
>
> I can test fine from the squid server:
> [root_at_proxy01a squid]# ntlm_auth --helper-protocol=squid-2.5-basic
> DOM\jmama password
> OK
>
> What am I missing?

The fact that NTLM has been obsolete for 8 years now? It's encryption
schemes were demonstrated to be decrypted in under 15 minutes with a
standard consumer desktop as of a year or so ago.
Microsoft have declared is deprecated in favor of Kerberos back in the
early stages of Vista and all their newer software attempts to do Kerberos
instead. IE8 and Windows 7 are known to have NTLM fully disabled by
default, with some hoop-jumping needed to open up those hole again.

*Please* look at upgrading your network to Negotiate/Kerberos. It's much
more secure, faster and very much less resource hungry than NTLM.

Amos
Received on Tue Sep 14 2010 - 01:44:31 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 14 2010 - 12:00:02 MDT