Hi I am running Squid 3.0STABLE19 on Ubuntu 10.04LTS as a "normal" (non-transparent) proxy server for a number of Windows workstations in an Active Directory environment using W2K8R2 domain controller servers running in W2K3 functional mode. I have implemented suthenitcation in Squid using the squid_kerb_auth module from Markus Moeller. Authentication is working fine for users logging in using domain credentials on domain registered workstations using both IE7 and 8 on Windows XP and Firefox 3.6.3. However, I would like to allow the occasional non-domain user to have internet access via Squid and so it would be helpful for a login dialog box to be presented. When IE 7 and 8 are used, this occurs and authentication is successful. However, with Firefox it does not and an error is returned by Squid - Access Denied. Looking at some packet dumps between the Windows workstation and Squid shows that Firefox tries a few times to auth then gives up. Enabling logging in Firefox reveals Firefox responds similarly to IE with a GET request with a Proxy-Authorization: Negotiate ..... header. In the Squid cache log it indicates: squid_kerb_auth: Got 'YR T1RMT...AAAADw==' from squid (length 59). squid_kerb_auth: received type 1 NTLM token However, unlike IE, it then gives up whereas IE then initiates a KRB5 AS-REQ to a domain controller then gets a ticket and then contacts Squid again at which point it authenticates. In the Firefox log, just before the GET request, it shows: service = fqdn.of.squid.proxy using negotiate-sspi using SPN of [HTTP/fqdn.of.squid.proxy]] AcquireCredentailsHandle() succeeded nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate] entering nsAuthSSPI::GetNextToken() InitializeSecurityContext: continue Sending a token of length 40 Then after sending the GET request and receiving the Squid 407 response it shows: nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate] entering nsAuthSSPI::GetNextToken() Cannot restart authentication sequence! Does Firefox not like the Squid HTTP1.0 Proxy-Connection: close response in response to its HTTP1.1 Proxy-Connection: keep-alive GET request? I am puzzled as to whether Squid, Firefox or IE is behaving as one would expect given the scenario? Does anyone have any ideas? If Squid and Firefox are behaving correctly but IE is doing a workaround then that is OK and I will need to live with the situation. I am happy to perform additional debug work to investigate the problem further. I have tried various settings in the Firefox about:config - network.negotiate-auth.trusted-uris configuration item, and other similar related settings mentioned in other posts but without success. Reading some Mozilla Dev postings over the last 12 months or so indicate there have been some issues with NTLM and Kerberos in various versions of Firefox but I think these have been addressed. Thanks in advance Paul Freeman __________ Information from ESET Smart Security, version of virus signature database 5429 (20100906) __________ The message was checked by ESET Smart Security. http://www.eset.com