> Okay to Basic auth protocol works. Now what about the other two? you have > Negotiate configured as first option and NTLM configured as second. > It is *entirely* up to the browser which of the three options it picks to > use. > - IE is known only to pick the first it can use and not failover. > - Recent windows OS will not respond to NTLM by default. > > Or it could be a simpler failure in the helpers looking up the other > protocols tokens. Actually i narrowed the problem down it's even more weird than i tough. All machines joined in the domain have no issues with the squid_kerb_auth. We use WPAD on our network by DNS alias for Firefox and by DHCP for IE. The machines not joined in the domain using IE8 or IE7 for NTLM helper to work I had to the the following: In Internet Options->Connections-> LAN settings: * Remove the check from "Automatically detect settings" (Witch is crucial for WPAD) * Introduce proxy host and port manually In Internet Options->Advanced->Settings: * Remove the check from "Enable Integrated Windows Authentication" restart IE and it starts working again with no changes on squid or samba config. So some update changed the behavior of IE in this last 2 months i will try to find out witch one. Any clues? The way Windows 7 handles NTML was a known issue for me that I normally change in Local Security Policy or in the joined domain machines i handle it with GPO. Is there any know issue with WPAD implementation on IE? Is there any other helper i can use that could do kerberos auth and fall-back to NTML? >> http_access deny !FullAccess Publicidade > > "FullAccess" requires auth to be known in order to use.... these lines all > contradict "http_access allow all NoAuthNeeded" below. Changed to: http_access allow NoAuthNeeded I use this rule to not get the auth prompt in some sites. -- Ricardo