[squid-users] Problems with NTLM authentication

Brendan Kearney bpk678 at gmail.com
Tue Nov 24 15:44:21 UTC 2015

On 11/24/2015 10:08 AM, VerĂ³nica Ovando wrote:
> My Squid Version:  Squid 3.4.8
> OS Version:  Debian 8
> I have installed Squid on a server using Debian 8 and seem to have the 
> basics operating, at least when I start the squid service, I have am 
> no longer getting any error messages.  At this time, the goal is to 
> authenticate users from Active Directory and log the user and the 
> websites they are accessing.
> I followed the official guide 
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm. I 
> verified that samba is properly configured, as the guide suggest, with 
> the basic helper in this way:
> # /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> domain\user pass
> OK
> Here is a part of my squid.conf where I defined my ACLs for the groups 
> in AD:
> ======================================================================================================== 
> auth_param ntlm program /usr/local/bin/ntlm_auth 
> --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.com
> auth_param ntlm children 30
> auth_param basic program /usr/local/bin/ntlm_auth 
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Servidor proxy-cache de mi Dominio
> auth_param basic credentialsttl 2 hours
> external_acl_type AD_Grupos ttl=10 children=10 %LOGIN 
> /usr/lib/squid3/ext_wbinfo_group_acl -d
> acl AD_Standard external Grupos_AD Standard
> acl AD_Exceptuados external Grupos_AD Exceptuados
> acl AD_Bloqueados external Grupos_AD Bloqueados
> acl face url_regex -i "/etc/squid3/facebook"
> acl gob url_regex -i "/etc/squid3/gubernamentales"
> http_access allow AD_Standard
> http_access allow AD_Exceptuados !face !gob
> http_access deny AD_Bloqueados
> ======================================================================================================== 
> I tested using only the basic scheme (I commented the lines out for 
> NTLM auth) and every time I open the browser it asks me my user and 
> pass. And it works well because I can see in the access.log my 
> username and all the access policies defined are correctly applied.
> But if I use NTLM auth, the browser still shows me the pop-up (it must 
> no be shown) and if I enter my user and pass it still asks me for them 
> until I cancel it.
> My access.log, in that case, shows a TCP_DENIED/407 as expected.
> What could be the problem? It suppose that both Kerberos and NTLM 
> protocols work together, I mean that can live together in the same 
> environment and Kerberos is used by default. How can I check that NTLM 
> is really working? Could it be a squid problem in the conf? Or maybe 
> AD is not allowing NTLM traffic?
> Sorry for my English. Thanks in advance.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
make sure Internet Explorer is set to use Integrated Windows 
Authentication (IWA).  Tools --> Internet Options --> Advanced --> 
Security --> Enable Integrated Windows Authentication.

More information about the squid-users mailing list