Stacker Hush wrote:
Thanks for the answer.
To enable HTTP/1.1 is in my case the right way is changing the lines below:
http_port 127.0.0.1:3128 transparent http11
NTLM (or any authentication) on the "transparent" interception port will
not work anyway.
As Henrik said the client-facing HTTP/1.1 is very experimental and
broken in a few small but annoying ways so avoiding it on this port is a
good thing.
http_port 8080 http11
Just the above by itself enables HTTP/1.1 for client connections to the
proxy.
cache_peer 127.0.0.1 parent 8081 0 no-query login=*:nopassword http11
Only affects connections to that one peer.
"server_http11 on" is the other setting to do HTTP/1.1 for DIRECT
connections to general web servers.
persistent connections also need to be turned on for both client and
servers for NTLM auth to have a chance.
From: Henrik Nordström <henrik@xxxxxxxxxxxxxxxxxxx>
Date: 2010/7/13
Subject: Re: ntlm locking user accounts in 2003 AD
To: Stacker Hush <stackerhush@xxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxx
mån 2010-07-12 klockan 12:03 -0300 skrev Stacker Hush:
The problem is when some user request webpages i have alot with of 680
EVENT
(logon) in Windows events/security, with seconds of interval
This is normal and by design of Microsoft NTLM authentication. Every new
TCP connection by the client to the proxy requires an new NTLM logon
handshake.
The rate of this is reduced a fair bit if you enable HTTP/1.1 support to
clients (2.7 required). But be warned that the HTTP/1.1 client support
in 2.7 is quite experimental.
and sometimes
the user account are locked.
That's not normal.
Regards
Henrik
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.5
