• 我们有一个SQUID反向代理和一个MOSS 2007门户。所有站点都使用NTLM。
• 我们无法使其与SQUID作为反向代理一起使用。

任何想法从哪里开始？

解决方案

我们可以切换到Kerberos而不是NTLM吗？

我们遇到了"双重跃点问题"，NTLM身份验证无法遍历代理或者服务器。

在此位置概述：
http://blogs.msdn.com/knowledgecast/archive/2007/01/31/the-double-hop-problem.aspx

在这里：
http://support.microsoft.com/default.aspx?scid=kb;zh-CN;329986

Double-Hop Issue
  The double-hop issue is when the ASPX page tries to use resources that are located on a server that is different from the IIS server. In our case, the first "hop" is from the web browser client to the IIS ASPX page; the second hop is to the AD. The AD requires a primary token. Therefore, the IIS server must know the password for the client to pass a primary token to the AD. If the IIS server has a secondary token, the NTAUTHORITY\ANONYMOUS account credentials are used. This account is not a domain account and has very limited access to the AD.
  
  The double-hop using a secondary token occurs, for example, when the browser client is authenticated to the IIS ASPX page by using NTLM authentication. In this example, the IIS server has a hashed version of the password as a result of using NTLM. If IIS turns around and passes the credentials to the AD, IIS is passing a hashed password. The AD cannot verify the password and, instead, authenticates by using the NTAUTHORITY\ANONYMOUS LOGON.
  
  On the other hand, if your browser client is authenticated to the IIS ASPX page by using Basic authentication, the IIS server has the client password and can make a primary token to pass to the AD. The AD can verify the password and does authenticate as the domain user.
  For more information, click the following article number to view the article in the Microsoft Knowledge Base:
  264921 (http://support.microsoft.com/kb/264921/) How IIS authenticates browser clients

如果不能切换到Kerberos，我们是否研究了Squid NTLM项目？
http://devel.squid-cache.org/ntlm/