[squid-users] You MUST specify at least one Domain Controller.You can use either \ or / as separator between the domain name

Amos Jeffries squid3 at treenet.co.nz
Fri Dec 19 14:28:27 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 20/12/2014 12:50 p.m., Ahmed Allzaeem wrote:
> Thank  you Amos , don’t know wt to say , u helped me a lot !
> 
> Now it get user/pwd
> 
> But still a new issue appeared !!
> 
> Now the browsing is so slow !!
> 
> I check the logs of squid I found a lot of TCP_denied and some of
> TCP_MISS
> 

Thats DENIED/407. In particular sets of 5 requests.
 Four auth challenges (407) followed by one final/successful request
(non-407).

NTLM handshake normally works in threes. Two 407's then one non-407.

NOTE: The non-407 can appear much later in the log than the two 407's.
A very good example of this is the 5 "POST http://ocsp.digicert.com/"
log lines. You can see the set of 407s occuring, then ~2 seconds later
the non-407 saying it took 1974 ms (~2 sec) to complete.


I suspect what you are seeing in that log is the mess that happens
when browsers (un)Happy Eyeballs algorithm collides with NTLM. The
browser opening connections in pairs to see which will be usable first
needs to authenticate both, but final request only sent on first
connection to complete the auth.
 *If* I am right about this then the slowdown should only happen on
startup when a lot of stuff has to be done by the browser and the
experience will get faster over time. The browser can technically save
the second-opened connections for later use, some do.


Also, ensure that persistent connections are enabled to both server
and clients. This will help minimize the number of handshakes
required. That is about all you can do to optimize NTLM unfortunately,
it is a truely nasty protocol.


Also, if you are seeing some clients looping with many 407 trying the
same credentials over and over try the setting:
 auth_param ntlm keepalive off

However, dont confuse this "keepalive" option with persistent
connections. It is a hack specially crafted to work with NTLM and
Negotiate auth to fix old IE brokenness and has proven useful with
some Java apps and recent Firefox versions. Its not harmful to any
client, but can limit the proxy total traffic capacity somewhat so
best to avoid if you dont need it.

HTH
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUlDYLAAoJELJo5wb/XPRj558H/12+3ARMFEHINczwgrPjzFBx
3la3Vn+mBo8NOaxCgEcJP73F1ZHH58oTlBcUygj1h9ecj7/fikil6IXhDvV87W4s
esS+IIFbOekKKFXxfGiSa0hg4G3NEEepmPfAx8OT8UWLC68fkESOCeOP99LYY3q5
7xZ7bef1ieudgDAUI7zuTCb8tEsV47SRFRQESOJefcXz3YkXhtL5ouNaK56sfp03
iaP33AzkjC9HBVxcfp4h4rInMO3VVbSecKtrHdStmnty5pU7lkXvMgSDtP1Kf71z
5waoPr7+8sf2uyUx/c42/RFpLIH0gfjg++WcIAXfF9gzmALNwhImvtb8JnRfHHk=
=autN
-----END PGP SIGNATURE-----


More information about the squid-users mailing list