Almighty,
You can't do transparent and NTLM auth together, as in order to do NTLM
the browser must be configured to know it's using a proxy. Unless, as
your handle suggests, you are indeed omnipotent ;-)
This question and ones like it come up a lot - and there is a simple
solution if you are in control of the environment - block all HTTP/S at
the firewall/default gateway from client machines, do WPAD to send the
clients through the proxy and there you go. That way you can also do
access rules on HTTPS requests (only the domain part unless you use
SSLBUMP).
And if you're in a domain, the NTLM is definitely not set up properly if
the browser is prompting for a password. That's the point of NTLM, you
don't need to put in your creds, they are taken from your Windows domain
session.
Cheers
Alex
On 03/10/11 12:00, Almighty wrote:
> Hi,
>
> I am redirecting my clients to my proxy server transparently using IPTABLES,
>
>
> -A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports 8080
>
> I am also using ntlm authentication that forces all connections to
> authentication to AD.
> The redirect works fine except squid says "Cache error denied" and never
> prompts me for any authentication.
>
> If I manually specify the proxy server IP under my browser then it prompts
> me for authentication and all is well.
>
> Is there any way I can get squid to prompt me for authentication when I
> redirect through IPTABLES?
>
> Many thanks,
>
Received on Mon Oct 03 2011 - 16:56:41 MDT
This archive was generated by hypermail 2.2.0 : Tue Oct 04 2011 - 12:00:03 MDT