[squid-users] Active Directory Authentication failing at the browser

Amos Jeffries squid3 at treenet.co.nz
Mon Nov 16 20:17:51 UTC 2015

On 17/11/2015 3:19 a.m., Eugene M. Zheganin wrote:
> Hi.
> On 16.11.2015 18:46, dolson wrote:
>> Squid Version:  Squid 3.4.8
>> OS Version:  Debian 8 (8.2)
>> I have installed Squid on a server using Debian 8 and seem to have the basics 
>> operating, at least when I start the squid service, I have am no longer 
>> getting any error messages.  At this time, the goal is to authenticate users 
>> from Active Directory and log the user and the websites they are accessing.
>> The problem I am having is, when I set Firefox 35.0.1 on my Windows 7 
>> workstation to use the Squid proxy, I am getting the log in page (image below).
>> imap://emz@mail.norma.perm.ru:143/fetch%3EUID%3E/INBOX/maillists/squid-users%3E58459?header=quotebody&part=1.1.2&filename=image001.png
>> I have tried entering my user name in various form EXAMPLE/USERID, USERID, 
>> EXAMPLE/ADMINISTRATOR, ADMINISTRATOR and the password and I have not had a 
>> successful at this time.
>> I have attached the squid.conf, smb.conf, krb5.conf, and access.log files for 
>> review.  If you would like to see the cache.log file, please contact me as the 
>> file is too large to include in this post.
> I suggest you first make Basic and NTLM working with active directory, and only 
> then, having these 2 schemes working, you move to the GSS-SPNEGO scheme. This is 
> because GSS-SPNEGO scheme is overcomplicated and difficult to debug, as it uses 
> lots of components and can fall apart easily on any stage.

I suggest also using a current Firefox release. I am finding the 4x's
series work a lot better than the earlier 3x's did on Windows 7.

Kerberos also uses the USER at DOMAIN format for user labeling. Sending it
Basic USERID) or NTLM (DOMAIN/USERID) formatted labels may be the problem.

Kerberos and NTLM are both PITA protocols. But NTLM makes everything
worse. If you are able to avoid using it at all and to actively turn
NTLM off around your network the Kerberos side of things will work better.


More information about the squid-users mailing list