Re: Authentication: Time and Monetary contributions

From: Adrian Chadd <adrian@dont-contact.us>
Date: Mon, 2 Apr 2007 20:21:31 +0800

On Sat, Mar 31, 2007, Stefan Adams wrote:
> Hello squid developers!
>
> I have been devoting a lot of time to authentication within the proxy.
> However, every solution I provide to my customers is unacceptable.
> They simply get prompted too often or something doesn't work at all.

Erk! Hey, someone who might help fix why those Java applets break with NTLM/basic
authentication!

Quick, tie him down. :)

> Using NTLM, certain sites, e.g. links to videos on cnn.com, don't work
> at all. These videos are loaded by Real Player which apparently has
> an issue working passing NTLM credentials. As such, when using NTLM
> authentication, these videos are inaccessible. This is unacceptable
> to customers.

Have you any packet dumps/NTLM traces of this? It might be easily worked around
by some patches to Squid.

> Using Basic (PAM module), certain situations cause credential
> querying. This is extremely evident while using the help function of
> Microsoft Office products. The online help is web-based. Each link
> loads a new browser window and Office does not remember the
> credentials from link to link. As a result, everytime a customer
> clicks a link, they are asked once again for credentials. This is
> unacceptable to customers.

Hm, does the online help, being web-based, does that work happy with
NTLM? Does NTLM work well in this case?

> I think entry 2.3 in the FAQ most clearly sums up the problem:
>
> http://netmirror.org/mirror/squid-www/Doc/FAQ/FAQ-23.html
>
> "Note: This has nothing to do with how often the user needs to
> re-authenticate himself. It is the browser who maintains the session,
> and re-authentication is a business between the user and his browser,
> not the browser and Squid. The browser authenticates on behalf of the
> user on every request sent to Squid. What this parameter controls is
> only how often Squid will ask the defined helper if the password is
> still valid."
>
> That said, there simply MUST be a better way. I have heard of other
> schools that provide authentication to the proxy that apparently do
> not complain about such "inconveniences". These users use commerical,
> proprietary products. I have no idea how they work.

Can you get access to them? Can you throw a packet trace at them?

Its entirely possible to "cache" authentication based on IP address.
That'd be perfectly fine in a lot of cases.

My suggestion: get some traces from broken implementations, fire them
off to the list, offer some money at people to try and fix it up and see
what happens.

Adrian
Received on Mon Apr 02 2007 - 06:10:45 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Apr 29 2007 - 12:00:03 MDT