[squid-users] NTLM authentication worked in Squid 2.7.STABLE8 Squid Web Proxy, now need it in v3.5 hosted on Windows server 2k12

[Amos Jeffries]

On 27/06/17 12:06, Todd Pearson wrote:
> 
> I am hosting the squid proxy on Windows 2K12 server.   Squid 2.7.STABLE8 
> Squid Web Proxy version worked well for authentication until recent 
> Windows 10 update killed Sha1.  Now I am upgrading to squid proxy 
> version 3.5.x.x to restore authentication.

FYI: upgrading to Squid-3 will not solve that problem by itself. The 
helpers in both Squid series are performing the same logic, with the 
same crypto limitations.

The core problem is that NTLM protocol itself is not capable of anything 
actually considered secure these days. It was declared EOL by MS more 
then 11 years ago, so loss of NTLM related things in Win10 is hardly a 
surprise.

To solve your auth problem what you need is actually a migration to 
Kerberos authentication (Negotiate auth). You might find that slightly 
easier after the Squid-3 upgrade, but the two are really independent 
changes.


> 
> The below settings are longer available in the 3.5.x.x version since the 
> progams do not exist for the new version:
> 
> auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
> 
> external_acl_type win_domain_group %LOGIN 
> c:/squid/libexec/mswin_check_ad_group.exe -G
> 
> 
> What are the equivalent setting for v 3.5.  Once again I am in windows 
> environment.

The helpers still exist, they just got renamed to follow a structured 
taxonomy:
<http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html#ss2.6>


Amos