<div dir="ltr"><div>Hello All,</div><div><br></div><div>I have 2 squid servers that authenticate correctly when you point your browser to either of them. I'm using a negotiate_wrapper. I set it up following this (<a href="http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory">http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory</a>) </div><div><br></div><div>I would like to set both servers behind a haproxy load balancer, however when you try to utilize the haproxy load balancer, it will not authenticate anymore. It just gives an error asking to authenticate.</div><div><br></div><div>Any ideas?</div><div><br></div><div>Thanks in advance.</div><div><br></div><div><br></div><div><br></div><div>##HAPROXY.CFG##</div><div><br></div><div><div>global</div><div><span class="" style="white-space:pre"> </span>log /dev/log<span class="" style="white-space:pre"> </span>local0</div><div><span class="" style="white-space:pre"> </span>log /dev/log<span class="" style="white-space:pre"> </span>local1 notice</div><div><span class="" style="white-space:pre"> </span>chroot /var/lib/haproxy</div><div><span class="" style="white-space:pre"> </span>user haproxy</div><div><span class="" style="white-space:pre"> </span>group haproxy</div><div><span class="" style="white-space:pre"> </span>daemon</div><div><br></div><div>defaults</div><div><span class="" style="white-space:pre"> </span>log<span class="" style="white-space:pre"> </span>global</div><div><span class="" style="white-space:pre"> </span>mode<span class="" style="white-space:pre"> </span>http</div><div><span class="" style="white-space:pre"> </span>option<span class="" style="white-space:pre"> </span>httplog</div><div><span class="" style="white-space:pre"> </span>option<span class="" style="white-space:pre"> </span>dontlognull</div><div> contimeout 5000</div><div> clitimeout 50000</div><div> srvtimeout 50000</div><div><br></div><div># reverse proxy-squid</div><div>listen proxy <a href="http://10.10.0.254:3128">10.10.0.254:3128</a></div><div><span class="" style="white-space:pre"> </span>mode http</div><div> cookie SERVERID insert indirect nocache</div><div> balance roundrobin</div><div> option httpclose</div><div> option forwardfor header X-Client</div><div> server squid1 <a href="http://10.10.0.253:3128">10.10.0.253:3128</a> check inter 2000 rise 2 fall 5</div><div> server squid2 <a href="http://10.10.0.252:3128">10.10.0.252:3128</a> check inter 2000 rise 2 fall 5</div></div><div><br></div><div><br></div><div><br></div><div><br></div><div>##SQUID.CONF##</div><div><br></div><div><br></div><div><div>#Kerberos and NTLM authentication</div><div>auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=****.LOCAL --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME</div><div>auth_param negotiate children 30</div><div>auth_param negotiate keep_alive off</div><div><br></div><div># LDAP authentication</div><div>auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "DC=****,DC=local" -D "CN=SQUID,OU=Service Accounts,DC=****,DC=local" -w "****" -f sAMAccountName=%s -h 10.0.0.200,10.0.0.199,10.0.0.194,10.0.0.193</div><div>auth_param basic children 150</div><div>auth_param basic realm Please enter your Domain credentials to continue</div><div>auth_param basic credentialsttl 1 hour</div><div><br></div><div># AD group membership commands</div><div>external_acl_type ldap_group ttl=60 children-startup=10 children-max=50 children-idle=2 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "DC=****,DC=local" -D "CN=SQUID,OU=Service Accounts,DC=****,DC=local" -w "****" -f "(&(objectclass=person) (sAMAccountname=%v)(memberof=CN=%a,OU=PROXY,ou=ALL Groups,DC=****,DC=local))" -h dc1.****.local,dc2.****.local,dc3.****.local,dc4.****.local</div><div><br></div><div>acl auth proxy_auth REQUIRED<br></div></div><div><br></div><div>acl REQGROUPS external ldap_group PROXY-HIGHLY-RESTRICTIVE PROXY-MEDIUM-RESTRICTIVE PROXY-MINIMAL-RESTRICTIVE PROXY-UNRESTRICTED PROXY-DEV PROXY-SALES</div><div><div><br></div><div>http_access deny !auth all</div><div>http_access deny !REQGROUPS all</div></div><div><br></div><div><br></div><div><br></div><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><font face="arial, helvetica, sans-serif">Samuel Anderson | Information Technology Administrator | International Document Services</font><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">IDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607</font></div><div style="text-align:right"><img src="http://nationalmortgageprofessional.com/sites/default/files/images/IDS_Logo_03_12.topstoryimage.jpg" width="96" height="88"><br></div></div></div>
</div>
<br>
<div style="font-family:Arial,Helvetica,sans-serif"><font face="Arial, Helvetica, sans-serif" size="4">CONFIDENTIALITY NOTICE:</font></div><div style="font-family:Arial,Helvetica,sans-serif"><font size="4"><font face="Arial, Helvetica, sans-serif" style="font-family:Arial,Helvetica,sans-serif">This e-mail and any attachments are confidential. If you are not an intended recipient, please contact the sender to report the error and delete all copies of this message from your system. </font><font face="Arial, Helvetica, sans-serif">Any unauthorized review, use, disclosure or distribution is prohibited</font><font face="Arial, Helvetica, sans-serif">.</font></font></div>