Hi, I have a question about NTLM authentication protocol. Here is my relevant squid conf: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=internet-group auth_param ntlm children 100 auth_param ntlm max_challenge_reuses 100 auth_param ntlm max_challenge_lifetime 5 minutes acl AuthorizedUsers proxy_auth REQUIRED http_access allow AuthorizedUsers http_access deny all When a user, who is not the member of "internet-group", requests a webpage, authentication window appears (login and password). In the proxy side, I see: 1138260038.968 0 10.2.32.248 TCP_DENIED/407 1428 GET http://www.index.hu/ - NONE/- text/html 1138260038.971 0 10.2.32.248 TCP_DENIED/407 1418 GET http://www.index.hu/ - NONE/- text/html 1138260038.977 4 10.2.32.248 TCP_DENIED/407 1428 GET http://www.index.hu/ - NONE/- text/html My question is: is this the correct working? http://en.wikipedia.org/wiki/NTLM I think the first and second case, 407 answer is correct, because we have no information about if the authentication succeed. But, when the client send the type 3 response, squid will access or deny the user. When denied, why send back 407 (403 would be great)? How can I change this behaviour? Server: Debian GNU/Linux 3.1, squid 2.5.9-10sarge2, samba 3.0.14a-3sarge Clients: Windows XP SP2, IE 6.0.2900.2180.xpsp_sp2_rtm.040803-2158 Thanks in advance, Szabolcs Horvath
