[squid-users] Two questions about cache for squid authentication
Amos Jeffries
squid3 at treenet.co.nz
Tue Aug 17 07:40:21 UTC 2021
On 17/08/21 6:25 pm, 易铭 wrote:
> Dear all,
>
> I have two questions about cache for squid authentication.
>
> 1. Can I skip authentication for a certain period of time after I've
> authenticated once?
>
> When I do the following, the authentication screen appears.
>
> Start browser -> access site after authentication (Kerberos
> authentication) -> close browser -> start another application (LDAP
> authentication)
>
Negotiate/Kerberos authentication authenticates the TCP connection. All
messages on that connection require the Kerberos tokens to prove it is
valid on that connection.
> So, even using Kerberos and LDAP auth at the same time, I want to skip
> the authentication process by clientIPaddress, etc.
>
This is authorization *not* authentication.
> 2. About authentication data passing in NTLM authentication on website.
>
NTLM, just like Negotiate/Kerberos authenticates the TCP connection and
requires all messages to have teh appropriate tokens.
> SingleSignOn is not working for some sites with NTLM authentication.
>
That is a Browser issue. "single sign-on" is a behaviour of clients,
where they choose to send the same credentials to all services. It has
nothing to do with the service like Squid.
> For example, when the authentication pop-up message appears, you can
> enter the auth information to access the page, but if you visit a
> different URL, you will be prompted to authenticate again.
>
> Can someone give me some advice?
>
The client doing that is broken or confused.
Maybe the confusion happened because of your mixed up squid config
rules. Or maybe not. You have not provided any information about your
squid.conf, network topology, or how the clients are using the proxy -
so we cannot tell.
Amos
More information about the squid-users
mailing list