I've 2 proxy servers chained together. Both authenticates against different AD domains. The downstream proxy is running on Windows (squid/2.5.STABLE1-CVS) supporting only basic auth (nt_auth.exe). This proxy server has a cache_peer basic auth setup to the upstream proxy: cache_peer upstream.proxy 3128 0 no-query login=UPSTREAM_DOMAIN\dummyuser:password The upstream is running on RHEL (squid/2.7.STABLE7) supporting NTLM,Basic with AD using this guide http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory, plus wb_info.pl for the group lookup. The users in UPSTREAM_DOMAIN can browse Internet using upstream proxy. However, the downstream proxy users can't browse the Internet. Their browser prompt for username and password twice - the first time it showed the downstream Realm which makes sense, but the second prompt showed the upstream Realm!. In the access.log file on downstream, it showed the authentication successfully with username. x.x.x.x - downstream_domain\user [09/Oct/2009:12:58:59] "GET http://www.google.com/ HTTP/1.0" 200 240 TCP_MISS:FIRST_UP_PARENT But the access.log file on the upstream proxy showed 407 with the "UPSTREAM_DOMAIN\dummyuser", which is correct. downstream.proxy - upstream_domain\user [09/Oct/2009:12:58:59] "GET http://www.google.com/ HTTP/1.0" 407 1685 TCP_DENIED:NONE Below here is auth conf on the upstream proxy.. auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 40 auth_param ntlm keep_alive off auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Internet Access external_acl_type ads-group children=20 %LOGIN /usr/local/squid/libexec/wbinfo_group.pl -d acl downstream_user proxy_auth -i upstream_domain\dummyuser http_access allow downstream_user http_reply_access allow downstream_user Does anyone has any idea how to resolve this problem? Thank you myocella
