[squid-users] Squid with NTLM auth behind netscaler

Amos Jeffries squid3 at treenet.co.nz
Wed Dec 16 20:12:41 UTC 2015

On 17/12/2015 5:34 a.m., Fabio Bucci wrote:
> i'm planning to migrate to kerberos instead NTLM.....i got a question for
> you Amos: sometimes a client reports issue in navigation and searching into
> log file i cannot see "username" and all the request are 407
> In these cases is there a way to reset a user session or it's a completely
> client issue?

Usually it is the client stuck in a loop trying Negtiate/NTLM auth for
some reason. Some old Firefox, most Safari, and older IE can all get
stuck trying those credentials and ignoring the offers of Basic.

It might be possible to figure out some LmCompatibility settings change
that makes the problem just go away (eg, forcing NTLM of all versions to
disabled on the client).

Other than that Squid does have some workaround responses it can be made
to send back that might help the client reach the right conclusion:

a) list Basic auth first in the config. Any properly working client will
re-sort the auth types by security level and do theKerberos anyway. But
the broken ones (particularly IE7 and older) will have more chance of
using Basic.

b) sending 407 response with no auth headers. Such as a deny 407 status
generated by external ACL deny, or a URL-redirector. These tell the
client that auth failed, but there is no acceptible fallback.

c) sending Connection:close. Sometimes (mostly Firefox v20-v40) it is
the client prematurely attaching the credentials to the connection and
re-using them. That is supposed to have been fixed recently, but I've
not confirmed.

d) sending 403 status response. To just flat-out block the client once
it enters the looping state. Hoping that later requests will start to
work again.


More information about the squid-users mailing list