Hendrik thx for the fast response. Is any other authentication protocol in the position to manage such an auth. forwarding? Basic is not acceptable because the pwd is in plain text. Uwe -----Ursprüngliche Nachricht----- Von: Henrik Nordstrom [mailto:henrik@xxxxxxxxxxxxxxxxxxx] Gesendet: Donnerstag, 21. September 2006 17:00 An: Benner, Uwe Cc: squid-users@xxxxxxxxxxxxxxx Betreff: Re: authentication forwarding tor 2006-09-21 klockan 13:00 +0200 skrev Benner, Uwe: > Proxy A and B have to have NTLM authentication. > 1st case both Proxies are squid > 2nd case proxy A = squid proxy B = some appliance Here is a problem... NTLM can not be forwarded beyond the proxy which performed the NTLM handshake. The protocol is explicitly designed to prevent this. At most can the authenticated username be forwarded either as faked Basic authentication with a static password or as a custom header, but not the NTLM handshake as such. > 1. Client sends http request for www.xyz.com > 2. Proxy A denies and sends an request for authentication to the client > 3. Client sends user/pwd and Proxy A authenticates the user and provides > OK Except that there is no password exchange in NTLM, only a cryptographic one-time hash exchange unique for the authenticating entity. > Does it work, that proxy B is requesting the authentication from the > client again? Only when using basic authentication. Regards Henrik