[squid-users] NTLM authentication worked in Squid 2.7.STABLE8 Squid Web Proxy, now need it in v3.5 hosted on Windows server 2k12
Amos Jeffries
squid3 at treenet.co.nz
Tue Jun 27 15:39:54 UTC 2017
On 27/06/17 12:06, Todd Pearson wrote:
>
> I am hosting the squid proxy on Windows 2K12 server. Squid 2.7.STABLE8
> Squid Web Proxy version worked well for authentication until recent
> Windows 10 update killed Sha1. Now I am upgrading to squid proxy
> version 3.5.x.x to restore authentication.
FYI: upgrading to Squid-3 will not solve that problem by itself. The
helpers in both Squid series are performing the same logic, with the
same crypto limitations.
The core problem is that NTLM protocol itself is not capable of anything
actually considered secure these days. It was declared EOL by MS more
then 11 years ago, so loss of NTLM related things in Win10 is hardly a
surprise.
To solve your auth problem what you need is actually a migration to
Kerberos authentication (Negotiate auth). You might find that slightly
easier after the Squid-3 upgrade, but the two are really independent
changes.
>
> The below settings are longer available in the 3.5.x.x version since the
> progams do not exist for the new version:
>
> auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
>
> external_acl_type win_domain_group %LOGIN
> c:/squid/libexec/mswin_check_ad_group.exe -G
>
>
> What are the equivalent setting for v 3.5. Once again I am in windows
> environment.
The helpers still exist, they just got renamed to follow a structured
taxonomy:
<http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html#ss2.6>
Amos
More information about the squid-users
mailing list