<div dir="ltr"><div>Hi Amos, </div><div><br></div><div>Thank you for your prompt reply.</div><div><br></div><div>As you said, the first request is hitting the proxy with the "user" field empty, but there is no second request. And I was wrong about the "timer". </div><div>Please find below the config </div><div><div class="gmail-moz-text-html" lang="x-western">
<div class="gmail-WordSection1">
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">auth_param
negotiate program /usr/local/squid/libexec/negotiate_wrapper_auth -d
--ntlm /usr/local/samba/bin/ntlm_auth
--diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=KATANA
--kerberos /usr/local/squid/libexec/ext_kerberos_sid_group_acl -d -s
GSS_C_NO_NAME</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">auth_param negotiate children 60</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">auth_param negotiate keep_alive off</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">auth_param ntlm program /usr/local/samba/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=KATANA</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">auth_param ntlm children 60</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">auth_param ntlm keep_alive off</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">auth_param basic children 60</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">auth_param basic credentialsttl 4 hours</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">auth_param basic program /usr/local/squid/libexec/basic_ldap_auth -R -b "dc=KATANA,dc=LOCAL" -D katanauser@KATANA.LOCAL
-W /usr/local/squid/etc/pass.txt -f sAMAccountName=%s -h 192.168.111.40</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">auth_param basic children 60</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">auth_param basic realm Katana Local</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">auth_param basic credentialsttl 1 minute</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">acl auth proxy_auth REQUIRED</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">tcp_outgoing_address 0.0.0.0 all</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">dns_v4_first on</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">acl mimeblock rep_mime_type ^application/x-shockwave-flash$</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">http_reply_access deny mimeblock</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">acl deny_rep_mime_flashvideo rep_mime_type video/flv</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">http_reply_access deny deny_rep_mime_flashvideo</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">acl local0 dst <a href="http://172.16.0.0/12">172.16.0.0/12</a></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">acl local1 dst <a href="http://192.168.0.0/16">192.168.0.0/16</a></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">http_access allow local0 all</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">http_access allow local1 all</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">cache deny local1</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">cache deny local0</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">redirector_access deny local0</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">redirector_access deny local1</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">http_access deny !auth</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">http_access allow auth</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">#http_access deny all</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">http_port 8080</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">debug_options 29,9</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">cache_swap_low 94</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">cache_swap_high 95</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">logfile_rotate 150</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray">cache_dir aufs /media/STORAGE/cache 7000 16 256</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">cache_log /media/STORAGE/ACCESS/cache.log</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">access_log /media/STORAGE/ACCESS/access.log</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">refresh_pattern ^ftp: 1440 20% 10080</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">refresh_pattern ^gopher: 1440 0% 1440</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">refresh_pattern -i (/cgi-bin/|\?) 0 0% 0</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">refresh_pattern . 0 20% 4320</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">acl allsrc src all</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray">acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080 3129 1025-65535</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray">acl sslports port 443 563</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">acl purge method PURGE</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">acl connect method CONNECT</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">acl HTTP proto HTTP</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">acl HTTPS proto HTTPS</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">acl allowed_subnets src <a href="http://192.168.0.0/16">192.168.0.0/16</a></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">http_access allow allowed_subnets</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">http_access allow manager localhost</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">http_access deny manager</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">http_access allow purge localhost</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">http_access deny purge</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">http_access deny !safeports</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">http_access deny CONNECT !sslports</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">http_access allow localhost</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">request_body_max_size 0 KB</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">delay_pools 1</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">delay_class 1 2</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">delay_parameters 1 -1/-1 -1/-1</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">delay_initial_bucket_level 100</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">delay_access 1 allow allsrc</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">http_access deny allsrc</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">acl max_user_ip_conn max_user_ip -s 1</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">http_access deny max_user_ip_conn</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">deny_info <a href="https://192.168.111.111/index3.html">https://192.168.111.111/index3.html</a> max_user_ip_conn</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray">acl Java browser Java/1.4 Java/1.5 Java/1.6 Java/1.7 Java/1.8</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">http_access allow Java</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -l /var/log/squid</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">url_rewrite_children 64 startup=16 idle=4 concurrency=0</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">debug_options 28,9</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">url_rewrite_children 10</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">icap_enable on</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">icap_send_client_ip on</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">icap_send_client_username on</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">icap_client_username_encode off</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">icap_client_username_header X-Authenticated-User</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">icap_preview_enable on</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">icap_preview_size 1024</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">icap_service service_req reqmod_precache bypass=1 icap://<a href="http://127.0.0.1:1345/squidclamav">127.0.0.1:1345/squidclamav</a></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">adaptation_access service_req allow all</span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">icap_service service_resp respmod_precache bypass=1 icap://<a href="http://127.0.0.1:1345/squidclamav">127.0.0.1:1345/squidclamav</a></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10pt;font-family:"Courier New";color:black;background:gray" lang="EN-US">adaptation_access service_resp allow all</span></i><i><span style="font-size:10pt;font-family:"Courier New";color:black" lang="EN-US"></span></i></p>
<p class="MsoNormal"><span style="font-family:Montserrat;color:black" lang="EN-US"> </span></p>
<p class="MsoNormal">Thank you </p><p class="MsoNormal"><br></p>
</div>
</div></div><br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br><br>
<br>
Message: 1<br>
Date: Fri, 19 Jul 2019 02:59:13 +1200<br>
From: Amos Jeffries <<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>><br>
To: <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
Subject: Re: [squid-users] squid time out<br>
Message-ID: <<a href="mailto:9b813ff3-23b3-c35a-8b40-403ee67053a5@treenet.co.nz" target="_blank">9b813ff3-23b3-c35a-8b40-403ee67053a5@treenet.co.nz</a>><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
On 19/07/19 1:57 am, ANDRINANTENAINA Avo wrote:<br>
> <br>
> I have a huge range in terms of network, but awkwardly, the<br>
> authentication/ACL and everything works well in one given subnet but not<br>
> on the others. The users in the other subnets are not able to surf the<br>
> internet, and this without any specific logs from the proxy side ( the<br>
> most significant part of the config could be seen below). Any request<br>
> from these users just times out. ____<br>
> <br>
...<br>
<br>
> __ __<br>
> <br>
> I can’t really understand the issue, from the affected networks:____<br>
> <br>
> __- __The user is able to ping the proxy and access its port<br>
> 8080 (through telnet / netcat) ____<br>
> <br>
> __- __The request is able to reach the proxy but the in the<br>
> access_log the /“user” /is missing ____<br>
> <br>
> /1563455060.396 1 192.168.230.195 TCP_DENIED/407 4714 GET<br>
> <a href="http://api.bing.com/qsml.aspx" rel="noreferrer" target="_blank">http://api.bing.com/qsml.aspx</a>? - HIER_NONE/- text/html____/<br>
> <br>
> __- __TCP_DENIED/407, requesting the user to go through the<br>
> authentication phase is presented by the proxy to the user’s browser but<br>
> nothing happens. I thought that if the timer set to Kerberos, NTLM<br>
> expires, a pop up should appear but nothing (from wireshark)____<br>
> <br>
<br>
Er. Not sure what you mean by a timer.<br>
<br>
The log entry is a reasonable first-request from any client. No sane<br>
client will broadcast user credentials until it knows the receiving<br>
agent needs them - and in what form they are needed.<br>
That is why your log entry has no username, and the purpose of the 407<br>
status.<br>
<br>
Once that 407 is delivered to the Browser that HTTP transaction is over.<br>
If nothing happens afterwards that is a Browser or network layer<br>
problem, nothing to do with Squid. (There are exceptions, but I see no<br>
sign of those being relevant in your config).<br>
<br>
Browser popup is what happens if the Browser is _unable_ to find<br>
appropriate user credentials to send the proxy or web server needing<br>
login. If it is able to find any Kerberors, NTLM or Basic auth<br>
credentials to use (in that order of priority) - it will start a new<br>
HTTP transaction using those. Which will be logged as a separate HTTP<br>
transaction.<br>
But, if those credentials are not able to validate there may not be any<br>
resulting username to log. Your wireshark trace shows no<br>
Proxy-Authorization header in the request, so of course there will be no<br>
username on that transactions log entry.<br>
<br>
<br>
Setting the timeouts on credentials usability between the DC and the<br>
Browsers will only cause credential tokens to become invalid before they<br>
arrive at the proxy. That can lead to loops of transactions with 407 and<br>
no username logged, especially with NTLM credentials.<br>
<br>
Setting any of the auth related TTL or timeouts in squid.conf to short<br>
values will only cause extra work for the auth validation process.<br>
Slowing everything down. It has no effect on whether credentials are<br>
valid, nor what the Browser does.<br>
<br>
Despite the PR and marketing MS have done about single-sign-on being a<br>
NTLM thing, it is actually a regular part of all HTTP authentication.<br>
Seeing the popup is a *bad* sign, something is going wrong with the<br>
Browsers auth setup if it has to be bothering the user for details.<br>
On Windows particularly the Browser should have access to the users<br>
machine login or Kerberos keytab and so use one of those to access the<br>
proxy without bothering or even being noticed by the user at all.<br>
<br>
> <br>
> - On cache.log there is nothing that could mean something, just<br>
> a bunch of ARP error. Tried to debug the section 29 for authentication …<br>
> but nothing. Checked the IE internet options, just in case the windows<br>
> authentication profile is no ticked … but it is there.<br>
> <br>
<br>
ARP errors may be nothing, or it could be a sign that your routing needs<br>
something fixed.<br>
A routing problem might be affecting background connectivity for NTLM<br>
and Kerberos processes the Browser has to do to allocate auth tokens<br>
with DC.<br>
It might also effect the proxy verifying those tokens, but that would<br>
have a different more obvious error logged.<br>
<br>
<br>
If the above does not help your troubleshooting, please consider posting<br>
your whole squid.conf. (Without the #comment lines, and obfuscate<br>
anything like cachemgr_passwd which should not be made public - but in a<br>
way which ensures we can still tell eg that two IPs are different numbers).<br>
<br>
Amos<br>
<br><br>
</blockquote></div></div>