[squid-users] User got domain login dialog box prompt, when number of user more than 250++

wong237ma at yahoo.com wong237ma at yahoo.com
Fri Jun 13 08:08:12 UTC 2025 

Hi,

I had successfully setup squid-openssl (6.10) in Ubuntu 24.04.02 LTS, staging and production. I refer to this squid wiki: https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory. I had setup Squid-cache authenticate against Activi Directory via kerberos. For proxy user access to staging, windows users (joined AD) no issue on authentication. I test users authenticate seemlessly without any prompt.

Our office user around 600. when I turn on production proxy. At morning 9am, when user number hit around 100, no issue raise. when user number hit around 250++, windows users, the browser start to prompt user login, even domain credential are correct, but seem not work, after that user cannot surf any website.

How to troubleshoot this issue?

I use squidclient to monitor external_acl, negotiateauthenticator, ntlmauthenticator, basicauthenticator, so far no requests timedout.

I also monitor cache.log with filtering "FATAL:|WARNING:|squidaio_queue_request:|SECURITY ALERT:" didn't find any specifc error.

Can help to identify, wonder user still got domain login prompt from, e.g. internet browser, like chrome, edge or firefox, outlook and microsoft teams, etc.

Appciate any help.

Thanks.

attach my squid.conf:
=======================================
## negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=MYCOMPANY --kerberos /usr/lib/squid/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 3000 startup=500 idle=200
auth_param negotiate keep_alive on
authenticate_ttl 15 minutes

## pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=MYCOMPANY
auth_param ntlm children 500 startup=50 idle=10
auth_param ntlm keep_alive off

### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b "dc=mycompany,dc=com" -D squidproxyuser at mycompany.com -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h mycompanydc.mycompany.com
auth_param basic children 500 startup=50 idle=10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute

#external_acl_type hebadgroup %LOGIN /usr/lib/squid/ext_wbinfo_group_acl
external_acl_type hebadgroup children-max=1000  children-startup=50 children-idle=10 ttl=900 negative_ttl=900 %LOGIN /usr/lib/squid/ext_wbinfo_group_acl

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/squid/cert/squid.crt tls-key=/etc/squid/cert/ca.key
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB
sslcrtd_children 50

acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

acl direct_access dstdomain openshiftapps.com
cache deny direct_access

acl urlwhatsapp dstdomain .whatsapp.com
acl grpwhatsapp external adgroup sq_whatsapp
acl grpgithub external adgroup SSLVPN-GitHub-CoPilot


# Enable Proxy Authentication
acl aduser proxy_auth REQUIRED

# Domains for SSL Bump
acl url_sslbump dstdomain .github.com

# Define SSL Bump steps
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

# SSL Bump rules for specific traffic
ssl_bump peek step1 all
ssl_bump bump step2 url_sslbump
ssl_bump splice all                     # Splice (do not bump) all other traffic
sslproxy_cert_error allow url_sslbump


#http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny to_localhost
http_access deny to_linklocal
include /etc/squid/conf.d/*.conf

# Access control for GitHub Copilot Group
include /etc/squid/github.conf

http_access allow urlwhatsapp grpwhatsapp
http_access deny urlwhatsapp

http_access allow aduser
http_access deny all

coredump_dir /var/spool/squid
# AV updates
refresh_pattern -i \.symantecliveupdate\.com\/.*\.(zip|7z|irn|[m|x][0-9][0-9])   360  50%   360  reload-into-ims
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern .               0       20%     4320

max_filedescriptors 65535
cache_mem 4096 MB
=======================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250613/9a241428/attachment.htm>

More information about the squid-users mailing list