<html><head></head><body><div class="ydpec8cc22yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div dir="ltr" data-setdir="false"><div>Hi,<br><br>I had successfully setup squid-openssl (6.10) in Ubuntu 24.04.02 LTS, staging and production. I refer to this squid wiki: https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory. I had setup Squid-cache authenticate against Activi Directory via kerberos. For proxy user access to staging, windows users (joined AD) no issue on authentication. I test users authenticate seemlessly without any prompt.<br><br>Our office user around 600. when I turn on production proxy. At morning 9am, when user number hit around 100, no issue raise. when user number hit around 250++, windows users, the browser start to prompt user login, even domain credential are correct, but seem not work, after that user cannot surf any website.<br><br>How to troubleshoot this issue?<br><br>I use squidclient to monitor external_acl, negotiateauthenticator, ntlmauthenticator, basicauthenticator, so far no requests timedout.<br><br>I also monitor cache.log with filtering "FATAL:|WARNING:|squidaio_queue_request:|SECURITY ALERT:" didn't find any specifc error.<br><br>Can help to identify, wonder user still got domain login prompt from, e.g. internet browser, like chrome, edge or firefox, outlook and microsoft teams, etc.<br><br>Appciate any help.<br><br>Thanks.<br></div><div><br>attach my squid.conf:<br>=======================================<br>## negotiate kerberos and ntlm authentication<br>auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=MYCOMPANY --kerberos /usr/lib/squid/negotiate_kerberos_auth -d -s GSS_C_NO_NAME<br>auth_param negotiate children 3000 startup=500 idle=200<br>auth_param negotiate keep_alive on<br>authenticate_ttl 15 minutes<br><br>## pure ntlm authentication<br>auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=MYCOMPANY<br>auth_param ntlm children 500 startup=50 idle=10<br>auth_param ntlm keep_alive off<br><br>### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm<br>auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b "dc=mycompany,dc=com" -D squidproxyuser@mycompany.com -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h mycompanydc.mycompany.com<br>auth_param basic children 500 startup=50 idle=10<br>auth_param basic realm Internet Proxy<br>auth_param basic credentialsttl 1 minute<br><br>#external_acl_type hebadgroup %LOGIN /usr/lib/squid/ext_wbinfo_group_acl<br>external_acl_type hebadgroup children-max=1000 children-startup=50 children-idle=10 ttl=900 negative_ttl=900 %LOGIN /usr/lib/squid/ext_wbinfo_group_acl<br><br>http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/squid/cert/squid.crt tls-key=/etc/squid/cert/ca.key<br>sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB<br>sslcrtd_children 50<br><br>acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)<br>acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)<br>acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)<br>acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines<br>acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)<br>acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)<br>acl localnet src fc00::/7 # RFC 4193 local private network range<br>acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<br><br>acl SSL_ports port 443<br>acl Safe_ports port 80 # http<br>acl Safe_ports port 21 # ftp<br>acl Safe_ports port 443 # https<br>acl Safe_ports port 70 # gopher<br>acl Safe_ports port 210 # wais<br>acl Safe_ports port 1025-65535 # unregistered ports<br>acl Safe_ports port 280 # http-mgmt<br>acl Safe_ports port 488 # gss-http<br>acl Safe_ports port 591 # filemaker<br>acl Safe_ports port 777 # multiling http<br><br>acl direct_access dstdomain openshiftapps.com<br>cache deny direct_access<br><br>acl urlwhatsapp dstdomain .whatsapp.com<br>acl grpwhatsapp external adgroup sq_whatsapp<br>acl grpgithub external adgroup SSLVPN-GitHub-CoPilot<br><br><br># Enable Proxy Authentication<br>acl aduser proxy_auth REQUIRED<br><br># Domains for SSL Bump<br>acl url_sslbump dstdomain .github.com<br><br># Define SSL Bump steps<br>acl step1 at_step SslBump1<br>acl step2 at_step SslBump2<br>acl step3 at_step SslBump3<br><br># SSL Bump rules for specific traffic<br>ssl_bump peek step1 all<br>ssl_bump bump step2 url_sslbump<br>ssl_bump splice all # Splice (do not bump) all other traffic<br>sslproxy_cert_error allow url_sslbump<br><br><br>#http_access deny !Safe_ports<br>#http_access deny CONNECT !SSL_ports<br>http_access allow localhost manager<br>http_access deny manager<br>http_access allow localhost<br>http_access deny to_localhost<br>http_access deny to_linklocal<br>include /etc/squid/conf.d/*.conf<br><br># Access control for GitHub Copilot Group<br>include /etc/squid/github.conf<br><br>http_access allow urlwhatsapp grpwhatsapp<br>http_access deny urlwhatsapp<br><br>http_access allow aduser<br>http_access deny all<br><br>coredump_dir /var/spool/squid<br># AV updates<br>refresh_pattern -i \.symantecliveupdate\.com\/.*\.(zip|7z|irn|[m|x][0-9][0-9]) 360 50% 360 reload-into-ims<br>refresh_pattern ^ftp: 1440 20% 10080<br>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims<br>refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims<br>refresh_pattern \/InRelease$ 0 0% 0 refresh-ims<br>refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims<br>refresh_pattern . 0 20% 4320<br><br>max_filedescriptors 65535<br>cache_mem 4096 MB<br>=======================================</div><br></div></div></body></html>