(sorry for the thread break, I loosed original messages and cannot find the Message-ID) Amos, thanks for your hints. I did some tests to connect to a kerberos enabled squid from a windows client not within the AD domain: squid auth setup is: negotiate squid_kerb_auth ntlm basic (ldap) As negotiate is proposed and IE support it, it always try to authenticate with negotiate and so it fails every time. I tried to invert the auth order, putting basic at first, IE always try negotiate (when Firefox just use the first one). With the negotiate,ntlm,basic order, firefox seems to try different methods, because after three tries of login in, it works. If I remove negotiate, then I can authenticate using ntlm by specifying as username DOMAIN\user. So as I understand, the only way to go is to have two squids: - one with kerberos for 'domain' users (with ntlm fallback for clients not knowing negotiate support, but ntlm and with basic fallback for client without negotiate/ntlm support) - and a second one with only basic auth