Hello Luis, nice reply, first of all, very very interesting... I noticed in 3.1.8 it seems i cannot place the credenstialttl directive, i can only - in the ntlm schema - insert this: auth_param ntlm keep_alive on. Is it right? I read it could give some incompatibility problems with IE. Are there some other parameters to put, in the ntlm schema, 5-minutes cache? Thank you again, Francesco ________________________________________ Da: Luis Daniel Lucio Quiroz [luis.daniel.lucio@xxxxxxxxx] Inviato: giovedì 13 ottobre 2011 15.49 A: frantz@xxxxxxxxxxxx Cc: squid-users@xxxxxxxxxxxxxxx Oggetto: Re: Problems authenticator on huge systems 2011/10/13 Francesco <frantz@xxxxxxxxxxxx>: > Hello, > > in a proxy server with some hunderds of users, i experience temporary > problems with ntlm authentication; Squid says access deny for some > minutes, then everything returns working without any actions. > > In cache.log i noticed these errors: > AuthNTLMUserRequest::authenticate: attempt to perform authentication > without a connection! > > I raised up the per-process max open files to 4096; do you think i am low > of authenticator process (200)? > Could it be this the problem? > > I have no cache on ntlm auth helper... > > Thank you, > Francesco > HELO Franchesco, My first toughts is you shall consider a ntlm cache, about 5 minutes. The fact is, that NTLM authentication does not work as basic authentication. I mean, in basic authentication, once the browser sends credentials, it always send credentials each time without requesting them again. In ntlm, as my understanding, it is quite different, browsers after a lapse of time will stop sending credentials (the hash). So a cache will really offload the samba/AD you are forwarding auth requests. Taking as a reference your message, and without other evidence, i guess problem is not between browser-squid, it could be squid-ad/samba. LD http://www.twitter.com/ldlq
