I just tried using the same config, but commenting out the auth_param basic lines. Instead of being asked for a password this time, I only get to a cache access denied page. An ethereal snoop of the http response from squid shows the following HTTP/1.0 407 Proxy Authentication Required Server: squid/2.5.STABLE12 Mime-Version: 1.0 Date: Thu, 03 May 2007 18:53:16 GMT Content-Type: text/html Content-Length: 1322 Expires: Thu, 03 May 2007 18:53:16 GMT X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 X-Cache: MISS from proxy.domain.local X-Cache-Lookup: NONE from proxy.domain.local:3128 Proxy-Connection: close Notice that there aren't any Proxy-Authenticate: ... lines that tell IE what kind of authentication to attempt to use even though the only authentication type is NTLM -Mike -----Original Message----- From: movits@xxxxxxxxxxxxx [mailto:movits@xxxxxxxxxxxxx] Sent: Thursday, May 03, 2007 2:45 PM To: Mike Poublon Subject: Re: NTLM + Squid - No NTLM Header being sent On Thursday 03 May 2007 12:09 pm, Mike Poublon wrote: > Whenever I try to access a page (using IE6 - should support NTLM), > I get a dialog box asking for my username and password - which if > provided authenticates me and I can browse the site. I'm pretty sure that what you did was use *basic* auth and validate the creds using NTLM. That's not the same thing as NTLM auth! See: > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 10 > auth_param ntlm max_challenge_reuses 0 > auth_param ntlm max_challenge_lifetime 2 minutes > auth_param basic program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-basic > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours All those basic auth_params are what's happening (and it's working because the basic auth program is /usr/bin/ntlm_auth). Mordy -- Mordy Ovits Network Security Bloomberg L.P.
