On Tue, 14 Jun 2005, zottmann wrote:
Now, the browsers are getting one 407 error, sending an authentication package, getting another 407 error, sending a different authenticatino package, and then they are successfully authenticated. It seems to me that Squid is asking for ntlm v2, and was asking for ntlm v1 before. The domain policy for this is "Send LM & NTLM - Use NTLMv2 session security if negotiated".
This is the normal situation. There is always two NTLM packets send by the client per TCP connection to complete an NTLM authentication.
NTLM and NTLMv2 behaves the same in this.
Observing the "NTLM User Authentication Stats" in Cachemgr.cgi, we see that, in random times of the day, the ntlm helpers begin entering in the "R" state, and when all of them are in this state, than squid restarts itself, sometimes returning to normal operation, and sometimes repeating this process.
This indicates you have too few helpers for the client load you are having, or that you have malicious clients never completing the NTLM authentication but keeping their connection open. Due to the quite poor design of NTLM over HTTP authentication you need very many helpers.
A helper is reserved between the two NTLM packets sent by the client. This may be for quite extended periods of time (minutes) if the browser has to ask the user to provide suitable login credentials to complete the request.
Regards Henrik
