Thanks for that Alex. I have used wpad in the past but I had to ensure that the browsers had "Automatically detect settings" ticked. It's for a wireless network so they are not on our domain. We purely use NTLM for authentication and verification that they are actually users on our domain. No problems, Im having a looking at NoCatSplash (catch-and-release) software to see if this will work. Thanks again. -----Original Message----- From: Alex Crow [mailto:alex@xxxxxxxxxxxxxxx] Sent: 03 October 2011 17:57 To: squid-users@xxxxxxxxxxxxxxx Subject: Re: Transparent Proxy & ntlm authentication issue Almighty, You can't do transparent and NTLM auth together, as in order to do NTLM the browser must be configured to know it's using a proxy. Unless, as your handle suggests, you are indeed omnipotent ;-) This question and ones like it come up a lot - and there is a simple solution if you are in control of the environment - block all HTTP/S at the firewall/default gateway from client machines, do WPAD to send the clients through the proxy and there you go. That way you can also do access rules on HTTPS requests (only the domain part unless you use SSLBUMP). And if you're in a domain, the NTLM is definitely not set up properly if the browser is prompting for a password. That's the point of NTLM, you don't need to put in your creds, they are taken from your Windows domain session. Cheers Alex On 03/10/11 12:00, Almighty wrote: > Hi, > > I am redirecting my clients to my proxy server transparently using IPTABLES, > > > -A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports 8080 > > I am also using ntlm authentication that forces all connections to > authentication to AD. > The redirect works fine except squid says "Cache error denied" and never > prompts me for any authentication. > > If I manually specify the proxy server IP under my browser then it prompts > me for authentication and all is well. > > Is there any way I can get squid to prompt me for authentication when I > redirect through IPTABLES? > > Many thanks, >
