> >ntlm-auth[1864]: attempting SSPI challenge retrieval > >ntlm-auth[1864]: Got it > >ntlm-auth[1864]: sending 'TT *some stuff that might be a > hash*' to squid > >ntlm-auth[1864]: Got 'KK *some more hash-like stuff*' from Squid > >ntlm-auth[1864]: No domain supplied. Returning no-auth > >ntlm-auth[1864]: sending 'NA Incorrect Request Format' to squid > > This response from the helper is clear: > > There is an NTLM authentication request without domain, but the > domain field is mandatory for NTLM authentication with the current > ntlm-auth.exe helper. > > Some of your client is sending user credentials without domain, may > be local users or a machine not member of the Windows domain. Thanks for the response, Guido. That was as I thought - that it was a client sending some kind of bad credentials; still doesn't tell me *which* client though! And as authenticator log entries aren't time stamped I can't even try to correlate them with TCP_DENIED entries in access.log. As asked in the OP, is there a debug_level parameter that can be used to trace requests sent to authenticator helper processes? None of the candidates in debug-sections.txt seem quite right, unless section 28 is the one. Regards Euan
