Francesco Collini wrote:
> Hello,
>
> i am experiencing problem with some remote websites that use IIS and
> ntlm windows authentication.
> The problems persist with 2.6 and 3.1 version, too.
>
> I tried to add: http_port 3128 connection-auth=on but no results.
>
> Is there a solution?
* NTLM websites assume that every piece of HTTP browser and proxy
software supports Microsoft proprietary protocols and connection pinning.
* You are assuming that your proxy is the only proxy in the chain.
Neither if those are likely to be true.
NTLM websites can work locally on a LAN where all software has a chance
of being controlled with the requirement of supporting NTLM. Over the
general Internet it's a non-starter.
Using HTTPS instead of HTTP *almost* guarantees the end-to-end
connection NTLM requires. I say almost because middle-proxies are now
also decrypting HTTPS and proxying it in some places.
The solution is to get the website to use a method of authentication
which works outside walled-garden LANs. Digest auth designed
specifically for high security over HTTP is available. Basic auth is the
'normal' low-security method.
The alternative is to find every proxy in the middle between you and
those sites, and get their admin to turn on connection pinning just for you.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.5Received on Sat Jul 24 2010 - 01:57:40 MDT
This archive was generated by hypermail 2.2.0 : Sat Jul 24 2010 - 12:00:04 MDT