Hello, We are switching from an LDAP authentication to an AD one. It works GREAT either with basic [password in clear :-( ] or ntlm authentication schemes. SSO was also requested, and works great. We have one problem though : - during the tests, some user accounts get locked very often. ( after 5 attempts). We know it comes from software trying to connect to internet with older passwords. But as we cannot guarantee it will not happen on a large scale when we migrate, ->> I am looking for a way to prevent these accounts getting locked. I thought of two solutions : 1. I searched for a way to make Squid only ask 3 times in a row for a valid credential. But couldn't find it : Any clue ? (After three bad attempts, Squid would not send a 407, but a 200 with the error page , maybe ?) 2. The other solution I went for was a more relaxed authentication scheme : using fakeauth_auth (NTLM), and basic as a failback for non-sso browsers. The idea is the following : IE ( the in-house main browser ) would send the windows credential in a sso way (thus the user is logged) in an automatic way (meaning the user doesn't see it, and cannot tamper the authentication). We rely on IE to send us the username (windows logon credential) Other browsers (FF) would use the basic scheme to send it's credentials. The problem is that at least one browser that is NTLM-compatible (Opera) is able to provide the user with a prompt during the authentication : And the user may give any valid account, along with any password. Here are the two lines : auth_param ntlm program /proxy3/libexec/fakeauth_auth auth_param basic program /proxy3/libexec/squid_ldap_auth -P -ZZ -v 3 -c 5 -t 5 -b ou=BLABLA -f(sAMAccountName=%s) -D "cn=reqaccount-BLABLA" -W /proxy3/etc/ldapauth_prd_secretfile -h dc002.fgn.com dc003.global.fgn.com Inverting the two lines forces all browsers to use the basic authentication. Is there a way to do NTLM only with SSO able browsers, and then revert to BASIC for all the others ? I figure playing with useragent strings wouldn't be enough, because Opera can easily masquerade as IE (or used to). Thank you for your ideas. Andrew