[squid-users] Squid with NTLM auth behind netscaler

[Amos Jeffries]

On 4/12/2015 11:14 p.m., Fabio Bucci wrote:
> Hi All,
> my task is implementing a squid proxy that allow all my authenticated
> (windows AD) internal users to surf internet without any credential request
> (pop-up).
> 
> Plus, i created two squid nodes and put them behind a citrix netscaler in
> order to perform a load balance service.
> 

How does this LB device work exactly? when dealing with NTLM the
specifics matter *a lot*.

Some LB sniff the HTTP traffic then route them on a per-message basis.
This is incompatible with both NTLM and Negotiate authentication, and
can cause bad confusion between the browser and proxy randomly.

Note that HTTP is a stateless protocol. So none of the browser, LB or
proxy are broken when this is going on. It is those to auth schemes that
are broken and incompatible with the designed statelessness feature of
HTTP being used by the LB.


> I configured squid with samba and ntlm helper in order to perform a
> transparent authentication but sometimes some user report me their browsers
> require authentication via pop-up.
> 
> I'm not a deep expert about squid and i'd like to receive your help in
> order to understand if my configuration is correct or not and if there is a
> way to prevent popup.

With HTTP authentication there should only ever be one popup no matter
what type of authentication scheme is used. HTTP being stateless,
requires that every single message has credentials attached (NTLM
violates that and some browsers dont always re-send while the connection
is alive; Squid accepts that, the LB may not). It is the browsers
responsibility to remember the credentials that work and continue using
them without annoying the user.


There are some proxy configurations that allow for the proxy to force
the Browser to change credentials. These can result in popups as that
change happens. We will need to see your squid.conf to provide any
specific help on that.

Amos