[squid-users] Active Directory Authentication failing at the browser

Rafael Akchurin rafael.akchurin at diladele.com
Mon Nov 16 21:21:00 UTC 2015

Hello all,

If I am not terribly mistaken when you have a Kerberos auth scheme active - you are actually using SSO - i.e. when everything is configured normally you should *never* see the popup box - the fact that you see it means Kerberos is not working.

What I would check first is that you set your browser to use the proxy *by FQDN* and not by IP as you seem to (see the proxy address at screenshot). I would humbly recommend to check the trouble shooting checklist we have on our site - 

Best regards,
Rafael Akchurin
Diladele B.V.

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: Monday, November 16, 2015 9:18 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Active Directory Authentication failing at the browser

On 17/11/2015 3:19 a.m., Eugene M. Zheganin wrote:
> Hi.
> On 16.11.2015 18:46, dolson wrote:
>> Squid Version:  Squid 3.4.8
>> OS Version:  Debian 8 (8.2)
>> I have installed Squid on a server using Debian 8 and seem to have 
>> the basics operating, at least when I start the squid service, I have 
>> am no longer getting any error messages.  At this time, the goal is 
>> to authenticate users from Active Directory and log the user and the websites they are accessing.
>> The problem I am having is, when I set Firefox 35.0.1 on my Windows 7 
>> workstation to use the Squid proxy, I am getting the log in page (image below).
>> imap://emz@mail.norma.perm.ru:143/fetch%3EUID%3E/INBOX/maillists/squi
>> d-users%3E58459?header=quotebody&part=1.1.2&filename=image001.png
>> I have tried entering my user name in various form EXAMPLE/USERID, 
>> have not had a successful at this time.
>> I have attached the squid.conf, smb.conf, krb5.conf, and access.log 
>> files for review.  If you would like to see the cache.log file, 
>> please contact me as the file is too large to include in this post.
> I suggest you first make Basic and NTLM working with active directory, 
> and only then, having these 2 schemes working, you move to the 
> GSS-SPNEGO scheme. This is because GSS-SPNEGO scheme is 
> overcomplicated and difficult to debug, as it uses lots of components and can fall apart easily on any stage.

I suggest also using a current Firefox release. I am finding the 4x's series work a lot better than the earlier 3x's did on Windows 7.

Kerberos also uses the USER at DOMAIN format for user labeling. Sending it Basic USERID) or NTLM (DOMAIN/USERID) formatted labels may be the problem.

Kerberos and NTLM are both PITA protocols. But NTLM makes everything worse. If you are able to avoid using it at all and to actively turn NTLM off around your network the Kerberos side of things will work better.


squid-users mailing list
squid-users at lists.squid-cache.org

More information about the squid-users mailing list