[squid-users] Two questions about cache for squid authentication

[Amos Jeffries]

On 17/08/21 6:25 pm, 易铭 wrote:
> Dear all,
> 
> I have two questions about cache for squid authentication.
> 
> 1. Can I skip authentication for a certain period of time after I've 
> authenticated once?
> 
> When I do the following, the authentication screen appears.
> 
> Start browser -> access site after authentication (Kerberos 
> authentication) -> close browser -> start another application (LDAP 
> authentication)
> 

Negotiate/Kerberos authentication authenticates the TCP connection. All 
messages on that connection require the Kerberos tokens to prove it is 
valid on that connection.


> So, even using Kerberos and LDAP auth at the same time, I want to skip 
> the authentication process by clientIPaddress, etc.
> 

This is authorization *not* authentication.


> 2. About authentication data passing in NTLM authentication on website.
> 

NTLM, just like Negotiate/Kerberos authenticates the TCP connection and 
requires all messages to have teh appropriate tokens.


> SingleSignOn is not working for some sites with NTLM authentication.
> 

That is a Browser issue. "single sign-on" is a behaviour of clients, 
where they choose to send the same credentials to all services. It has 
nothing to do with the service like Squid.


> For example, when the authentication pop-up message appears, you can 
> enter the auth information to access the page, but if you visit a 
> different URL, you will be prompted to authenticate again.
> 
> Can someone give me some advice?
> 

The client doing that is broken or confused.

Maybe the confusion happened because of your mixed up squid config 
rules. Or maybe not. You have not provided any information about your 
squid.conf, network topology, or how the clients are using the proxy - 
so we cannot tell.

Amos