<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_1_1498581512624_10594"><span></span></div><div class="qtdSeparateBR" id="yui_3_16_0_1_1498581512624_10565" dir="ltr"><br>Thank you for the information. Is there any place to download the helper binaries for NTLM? Or do I need to build them myself?</div><div class="qtdSeparateBR" id="yui_3_16_0_1_1498581512624_10565"><br></div><div class="qtdSeparateBR" id="yui_3_16_0_1_1498581512624_10565">Is there additional information on kerberos configuration in a windows environment. Trying to wrap my head around the keytab and creation of it in a windows only environment.</div><div class="yahoo_quoted" id="yui_3_16_0_1_1498581512624_10624" style="display: block;"> <div style="font-family: Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_1_1498581512624_10623"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_1_1498581512624_10622"> <div dir="ltr" id="yui_3_16_0_1_1498581512624_10621"> <font size="2" face="Arial" id="yui_3_16_0_1_1498581512624_10625"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Amos Jeffries <squid3@treenet.co.nz><br> <b><span style="font-weight: bold;">To:</span></b> squid-users@lists.squid-cache.org <br> <b><span style="font-weight: bold;">Sent:</span></b> Tuesday, June 27, 2017 8:40 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [squid-users] NTLM authentication worked in Squid 2.7.STABLE8 Squid Web Proxy, now need it in v3.5 hosted on Windows server 2k12<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_1_1498581512624_10626"><br><div dir="ltr" id="yui_3_16_0_1_1498581512624_10627">On 27/06/17 12:06, Todd Pearson wrote:<br clear="none">> <br clear="none">> I am hosting the squid proxy on Windows 2K12 server. Squid 2.7.STABLE8 <br clear="none">> Squid Web Proxy version worked well for authentication until recent <br clear="none">> Windows 10 update killed Sha1. Now I am upgrading to squid proxy <br clear="none">> version 3.5.x.x to restore authentication.<br clear="none"><br clear="none">FYI: upgrading to Squid-3 will not solve that problem by itself. The <br clear="none">helpers in both Squid series are performing the same logic, with the <br clear="none">same crypto limitations.<br clear="none"><br clear="none">The core problem is that NTLM protocol itself is not capable of anything <br clear="none">actually considered secure these days. It was declared EOL by MS more <br clear="none">then 11 years ago, so loss of NTLM related things in Win10 is hardly a <br clear="none">surprise.<br clear="none"><br clear="none">To solve your auth problem what you need is actually a migration to <br clear="none">Kerberos authentication (Negotiate auth). You might find that slightly <br clear="none">easier after the Squid-3 upgrade, but the two are really independent <br clear="none">changes.<div class="yqt8010157677" id="yqtfd65764"><br clear="none"><br clear="none"><br clear="none">> <br clear="none">> The below settings are longer available in the 3.5.x.x version since the <br clear="none">> progams do not exist for the new version:<br clear="none">> <br clear="none">> auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe<br clear="none">> <br clear="none">> external_acl_type win_domain_group %LOGIN <br clear="none">> c:/squid/libexec/mswin_check_ad_group.exe -G<br clear="none">> <br clear="none">> <br clear="none">> What are the equivalent setting for v 3.5. Once again I am in windows <br clear="none">> environment.</div><br clear="none"><br clear="none">The helpers still exist, they just got renamed to follow a structured <br clear="none">taxonomy:<br clear="none"><<a shape="rect" href="http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html#ss2.6" target="_blank">http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html#ss2.6</a>><br clear="none"><br clear="none"><br clear="none">Amos<br clear="none">_______________________________________________<br clear="none">squid-users mailing list<br clear="none"><a shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br clear="none"><a shape="rect" href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><div class="yqt8010157677" id="yqtfd33800"><br clear="none"></div></div><br><br></div> </div> </div> </div></div></body></html>