Reale Marco wrote:
I'm using squid nt 2.6 stable 4 on windows 2003 server from 1 year (in active directory environment) with ntlm auth and it works very well (stable, fast, and no big problems) My configuration file is (I report only interesting section): ---------------Squid config---------------- auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe external_acl_type NT_global_group %LOGIN c:/squid/libexec/mswin_check_lm_group.exe -G -c acl DomainUsers external NT_global_group "c:/squid/etc/DomainUsers.txt" acl Proxy_Messengers_yes external NT_global_group Proxy_Messengers_yes acl Proxy_Internet_Ts external NT_global_group Proxy_Internet_Ts acl Proxy_All_Open external NT_global_group Proxy_All_Open acl Proxy_ftp_porn_block_yes external NT_global_group Proxy_ftp_porn_block_yes acl porn dstdomain "c:/squid/block/pornblock.txt" acl ftpblock url_regex -i \.exe$ \.mp3$ \.asx$ \.avi$ \.mpeg$ \.qt$ \.ram$ \.rm$ \.iso$ \.wav$ \.aif$ .\wma$ .\wmv$ .......... # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # http_access deny Proxy_Internet_Ts !trustedsites http_access allow enabled http_access deny porn !Proxy_All_Open deny_info ERR_PORN_ACCESS_DENIED porn http_access deny bad_word_content_type !Proxy_ftp_porn_block_yes !Proxy_All_Open deny_info ERR_PORN_ACCESS_DENIED bad_word_content_type http_access deny msnmessenger !Proxy_Messengers_yes !Proxy_All_Open http_access deny msnweb !Proxy_Messengers_yes !Proxy_All_Open http_access deny msnit !Proxy_Messengers_yes !Proxy_All_Open http_access deny BadDest !Proxy_Messengers_yes !Proxy_All_Open http_access deny rs_deny !rs_allowed http_access deny ftpblock !Proxy_ftp_porn_block_yes !Proxy_All_Open http_access allow autorizzati DomainUsers ---------------Squid config end---------------- PROBLEM DESCRIPTION: As already told squid works well but sometimes (10 pc in last 2 months) happens that on a pc internet explorer continuosly require credentials (user/password pop-up). If the same user logs on others pc the problem isn't present. I think should be an internet explorer (or windows bug) that unexpectedly stops to work correctly with ntlm authentication and squid. IMPORTANT: all users have outlook 2003 and exchange 2003 and it works correctely thus the problem cannot be related to Active directory; others applications that require kerberos or ntlm authentication (netlogon, kix, web applications) work correctely also. Thus...the problem is related to the user profile in fact if I recreate it, the problem disappears Can someone give me a suggestion? Is there a way to force internet explorer clear cached credentials (or something similar...) and avoid to recreate user's profile? Thanks Marco
This sounds undoubtedly like a browser problem rather than a problem with squid. There's a setting in IE that should fix it though. I'm not sure of your profile configuration, restriction-wise, but go to Tools -> Internet Options -> Advanced -> Security -> Enable Integrated Windows Authentication (requires restart). That should enable ntlm. You might find it's just been dropped on some problematic profiles.
Hope this helps Richard