[squid-users] squid 5.1: Kerberos: Unable to switch to basic auth with Edge - IE - Chrome

David Touzeau david at articatech.com
Tue Sep 21 08:21:37 UTC 2021


Thanks amos !!

I think auth_schemes can be a workaround.
I will try it !



Le 21/09/2021 à 02:49, Amos Jeffries a écrit :
> On 21/09/21 11:49 am, David Touzeau wrote:
>>
>> When edge, chrome and IE try to establish a session, Squid claim
>>
>> 2021/09/21 01:17:27 kid1| ERROR: Negotiate Authentication validating 
>> user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
>>
>> This let us understanding that these 3 browsers try NTLM instead of a 
>> Basic Authentication.
>>
>> I did not know why these browsers using NTLM as they did not 
>> connected to the Windows domain
>
> Unlike Kerberos, NTLM does not require the machine to be connected to 
> a domain to have credentials. AFAIK the browser still has access to 
> the localhost user credentials for use in NTLM. Or the machine may 
> even be trying to use the Basic auth credentials as LM tokens with 
> NTLM scheme.
>
>
>> Why squid never get the Basic Authentication credentials. ?
>>
>
> That is a Browser decision. All Squid can do is offer the schemes it 
> supports and they have to choose which is used.
>
>> Did i miss something ?
>
> With Squid-5 you can use the auth_schemes directive to workaround 
> issues like this.
>  <http://www.squid-cache.org/Versions/v5/cfgman/auth_schemes.html>
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210921/38ef3c63/attachment.htm>


More information about the squid-users mailing list