Configuration with Negotiate/NTLM

Dmitry Kurochkin dmitry.kurochkin at measurement-factory.com
Wed Mar 23 18:17:31 UTC 2011


Hi Markus.

It looks like you have configured everything correctly. Setting
credentials (POLYDOMAIN/polyuser at polyhost:polypass) and pconn_use_lmt
should be enough.

I have tested NTLM authentication with Web Polygraph v4.3.1 and it works
fine:

* client sends request to the proxy with no authentication headers

* server replies with 407 (Proxy Authentication Required) and
  "Proxy-Authenticate: NTLM" header

* client sends request with NTLMSSP_NEGOTIATE message with null
  workstation name and null workstation name

* server replies with 407 (Proxy Authentication Required) and
  NTLMSSP_CHALLENGE message

* client sends request on the same TCP connection with NTLMSSP_AUTH
  message

* server replies with 200 (OK) and no authentication headers

The important part is that client sends requests on the same TCP
connection, that is why pconn_use_lmt is needed.

It seems that it is expected that client sends the first NTLM token with
null domain. Only the second client request (after the proxy replies
with NTLMSSP_CHALLENGE) contains domain, host and username.

Client does not communicate with anything but the proxy. I guess in your
setup the proxy would talk to AD.

According to your further findings [1], this might be a Squid bug. Let's
see what it boils over to.

Regards,
  Dmitry

[1] http://thread.gmane.org/gmane.comp.web.squid.devel/14886



More information about the Users mailing list