Configuration with Negotiate/NTLM
Dmitry Kurochkin
dmitry.kurochkin at measurement-factory.com
Wed Mar 23 18:17:31 UTC 2011
Hi Markus.
It looks like you have configured everything correctly. Setting
credentials (POLYDOMAIN/polyuser at polyhost:polypass) and pconn_use_lmt
should be enough.
I have tested NTLM authentication with Web Polygraph v4.3.1 and it works
fine:
* client sends request to the proxy with no authentication headers
* server replies with 407 (Proxy Authentication Required) and
"Proxy-Authenticate: NTLM" header
* client sends request with NTLMSSP_NEGOTIATE message with null
workstation name and null workstation name
* server replies with 407 (Proxy Authentication Required) and
NTLMSSP_CHALLENGE message
* client sends request on the same TCP connection with NTLMSSP_AUTH
message
* server replies with 200 (OK) and no authentication headers
The important part is that client sends requests on the same TCP
connection, that is why pconn_use_lmt is needed.
It seems that it is expected that client sends the first NTLM token with
null domain. Only the second client request (after the proxy replies
with NTLMSSP_CHALLENGE) contains domain, host and username.
Client does not communicate with anything but the proxy. I guess in your
setup the proxy would talk to AD.
According to your further findings [1], this might be a Squid bug. Let's
see what it boils over to.
Regards,
Dmitry
[1] http://thread.gmane.org/gmane.comp.web.squid.devel/14886
More information about the Users
mailing list