Hi there Had the same problem at one of my sites before. Squid only spawns a set number of authentication processes, it's possible that the number of users trying to reauthenticate at once are more than the number of processes. Look at auth_param basic children 5 parameter in squid.conf Regards Charl -----Original Message----- From: Hugues Ferland [mailto:hugues@xxxxxxxx] Sent: Wednesday, July 27, 2005 8:00 PM To: Roger Riggins; squid-users@xxxxxxxxxxxxxxx Subject: RE: some staff are randomly prompted for authentication IE have problem with multiple connections and NTLM. You should try to set the following registry values in "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" Create the following DWORD values: MaxConnectionsPer1_0Server and MaxConnectionsPerServer For both of them, set the value to 1. Hope this help. Regards, Hugues -----Original Message----- From: Roger Riggins [mailto:roger.riggins@xxxxxxxxxx] Sent: July 27, 2005 1:33 PM To: squid-users@xxxxxxxxxxxxxxx Subject: some staff are randomly prompted for authentication Hi all, I'm a Linux noob. I've managed to get Linux, Samba, and Squid working without bugging anybody. I've run into one hiccup that I'm unable to figure out. I'm requiring ntlm authentication for Squid which works great, but I've had a few calls (and experienced it once myself) where Squid is prompting for authentication after a user has been surfing already. I'm hoping somebody will have some insight for me! Thanks! Roger Riggins Here is my environment: Red Hat Enterprise Linux ES release 3 (Taroon Update 5) squid-2.5.STABLE3-6.3E.9 samba-3.0.9-1.3E.3 (connected to AD) Clients are Windows Server 2003 Citrix sessions Here are my configs: ************************************************ squid.conf: ************************************************ http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all visible_hostname cache01 coredump_dir /var/spool/squid redirector_bypass off [root@cache01 public]# vi squid.conf [root@cache01 public]# cat squid.conf hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl AuthorizedUsers proxy_auth REQUIRED acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow all AuthorizedUsers http_access allow manager localhost http_access deny manager http_access allow Safe_ports http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all visible_hostname cache01 coredump_dir /var/spool/squid redirector_bypass off ************************************************ smb.conf ************************************************ [global] workgroup = DOMAIN netbios name = cache01 server string = cache01 cache server security = ads idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes password server = * encrypt passwords = yes realm = domain.local [public] path = /usr/local/public comment = public share read only = no ************************************************ nsswitch.conf ************************************************ passwd: files winbind shadow: files winbind group: files winbind hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: nisplus automount: files aliases: files nisplus ************************************************ krb5.conf ************************************************ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true [realms] EXAMPLE.COM = { kdc = kerberos.example.com:88 admin_server = kerberos.example.com:749 default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Roger Riggins Network Administrator Lutheran Services in Iowa w: 319.859.3543 c: 319-290-5687 http://www.lsiowa.org