Looks like we are making progress. Yeah there is a condition in the code client_side.c that relates to when "WWW-Authenticate" header is being deleted. Condition checks for no_connection_auth flag in the request. This is the code. It checks if there is no_connection_auth in incoming request then that header is being deleted. I think it relates to pinning connections as you said earlier. if (request->flags.no_connection_auth) { httpHeaderDelAt(hdr, pos); connection_auth_blocked = 1; continue; } But in Squid-2.7.Stable7 there is support only for specifying no-connection-auth in http_port directive. In Squid 3.1 we can turn it on|off using connection-auth=[on|off]. How to not set the no_connection_auth flag in Squid-2.7.Stable.7? Regards, Saurabh -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: Tuesday, February 01, 2011 4:39 PM To: squid-users@xxxxxxxxxxxxxxx Subject: Re: Authentication to Sharepoint not happening On 01/02/11 23:57, Saurabh Agarwal wrote: > Thanks Amos. Yeah they were cut and paste errors. Other than that I have tried using http11 with http_port and ignore_expect and it still doesn't work. > > I think this is by design in Squid. Following code in "client_side.c" suggests that it will always filter the "WWW-Authenticate" header from HTTP Headers by treating it as unproxyable auth type. > > /* Filter unproxyable authentication types */ > if (http->log_type != LOG_TCP_DENIED&& > (httpHeaderHas(hdr, HDR_WWW_AUTHENTICATE))) { > HttpHeaderPos pos = HttpHeaderInitPos; > .... > .... > ...code here removes the "WWW-Authenticate" from HTTP Header. There should be some conditions skipping removal on "must_keepalive" or "proxy_keepalive" flags in there. I would expect pinning to be in effect at this point. If not that is a problem someone might find worth fixing one day. For Negotiate auth type at minimum. > > Also the following link "http://www.visolve.com/squid/Squid_tutorial.php#Authentication_" suggests that Proxy Auth can't work in transparent mode. > > Can you please comment on this? Yes "Proxy-Authenticate:" will not work in transparent mode. There is no reason why "WWW-Authenticate:" with the origin cannot. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4