Hi, I am running a cache cluster and on the controller its running NTLM authentication. The problem comes in when the user/me loads any SSL site, it takes ages before it starts loading. Once its loaded if you refresh/use it it goes quickly, just that initial load that takes very long to load. I have another cluster running at another location within this same company and it does not have the same symptoms at all so its not the upstream IWSS servers that are causing this. The only difference between the two is the squid version. The new one with the problem is running: [root@S058] /var/log/squid # squid -v Squid Cache: Version 2.6.STABLE12 configure options: '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/usr/local/squid' '--sysconfdir=/usr/local/etc/squid' '--enable-removal-policies=lru heap' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-epoll' '--enable-auth=basic ntlm digest' '--enable-basic-auth-helpers=NCSA PAM MSNT SMB LDAP YP' '--enable-digest-auth-helpers=password ldap' '--enable-external-acl-helpers=ip_user session unix_group wbinfo_group ldap_group' '--enable-ntlm-auth-helpers=SMB' '--enable-storeio=ufs diskd null' '--enable-snmp' '--disable-carp' '--enable-ssl' '--with-openssl=/usr/local' '--enable-useragent-log' '--enable-follow-x-forwarded-for' '--enable-icap-support' '--enable-ipf-transparent' '--enable-kqueue' '--enable-err-languages=Azerbaijani Bulgarian Catalan Czech Danish Dutch English Estonian Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Lithuanian Polish Portuguese Romanian Russian-1251 Russian-koi8-r Serbian Simplify_Chinese Slovak Spanish Swedish Traditional_Chinese Turkish' '--enable-default-err-language=English' '--prefix=/usr/local' 'i386-portbld-freebsd4.11' 'build_alias=i386-portbld-freebsd4.11' 'host_alias=i386-portbld-freebsd4.11' 'target_alias=i386-portbld-freebsd4.11' My squid.conf looks like this: half_closed_clients off #tcp_outgoing_address append_domain .domain.com auth_param ntlm program ntlm_auth.sh ntlmssp auth_param ntlm children 20 auth_param ntlm keep_alive on auth_param basic program ntlm_auth.sh basic auth_param basic children 20 auth_param basic realm S058.domain.com Cache NTLM Authentication auth_param basic credentialsttl 2 hours http_port 3128 transparent icp_port 3130 #htcp_port 0 cache_mem 512 MB acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 5443 4443 acl Safe_ports port 21 70 80 81 90 91 210 443 488 591 777 1025-65535 acl CONNECT method CONNECT acl NOAUTHIP dst "noauthip.list" acl NOAUTHDOM dstdomain "noauthdom.list" acl NTLM proxy_auth REQUIRED acl ADIRDOM dstdomain "adirdom.list" always_direct allow ADIRDOM acl ADIRIP dst "adirip.list" always_direct allow ADIRIP acl NOCACHE dstdomain "nocache.list" no_cache deny NOCACHE always_direct deny all never_direct allow all acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_swap_low 90 cache_swap_high 96 maximum_object_size 32768 KB minimum_object_size 0 KB maximum_object_size_in_memory 128 KB ipcache_size 10240 ipcache_low 90 ipcache_high 95 fqdncache_size 10240 log_fqdn off memory_pools off cache_replacement_policy heap GDSF #memory_replacement_policy heap LFUDA memory_replacement_policy lru #cache_replacement_policy lru cache_dir null /null log_mime_hdrs on logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt %>st cache_access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log cache_store_log none pid_filename /usr/local/squid/logs/squid.pid store_dir_select_algorithm round-robin debug_options ALL,1 ftp_user opteq@ ftp_passive on dns_timeout 50 seconds quick_abort_min 10 kb quick_abort_pct 50% quick_abort_max 1024 kb negative_ttl 2 minute range_offset_limit 0 KB connect_timeout 10 second cache_peer 1.1.5.2 parent 3128 3130 proxy-only login=*:pass cache_peer 1.1.5.3 parent 3128 3130 proxy-only login=*:pass cache_peer 1.1.5.4 parent 3128 3130 proxy-only login=*:pass http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow NOAUTHIP http_access allow NOAUTHDOM http_access allow NTLM http_access deny all # And finally deny all other access to this proxy icp_access allow all cache_mgr support@xxxxxxxxxx cache_effective_user nobody cache_effective_group nobody visible_hostname S058.domain.com #dns_testnames netscape.com internic.net nlanr.net microsoft.com dns_testnames localhost forwarded_for on ie_refresh on acl localSnmp snmp_community public acl SNMPIP0 src 10.6.14.25/32 acl SNMP0 snmp_community cms snmp_port 3401 snmp_access allow localSnmp localhost snmp_access allow SNMP0 SNMPIP0 snmp_access deny all snmp_incoming_address 0.0.0.0 snmp_outgoing_address 255.255.255.255 peer_connect_timeout 30 seconds dead_peer_timeout 30 seconds httpd_suppress_version_string = on Now my ntlm_auth.sh looks like this: [root@S058] # cat ntlm_auth.sh #!/bin/sh W="$1" /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-$W --require-membership-of='DOMAIN\Group' I have narrowed it down more by not using the cache peers in the squid.conf and rather pointed them directly at the IWSS servers and still get the same results, so the cache_peers are not causing any problems here it seems. I have looked in messages, cache.log and dont see any error messages. Also a "net ads testjoin" works fine, and even normal sites that require authentication load fairly quickly, so authentication is working fine. Any ideas? Im stumped. Thanks in advance, Ian
