> The best is to configure Negotiate with the wrapper to cover Negotiate/NTLM > and Negotiate/Kerberos and NTLM as "pure" NTLM for applications/clients > which do not support Negotiate but NTLM ( like some chat tools). Thank you both for the feedback and help with my understanding on authentication. I installed negotiate_wrapper (running squid 3.1) and after some initial problems trying to implement the use of ntlm_auth post kerberos configuration I have it working now. I have a concern that can hopefully be cleared up... Because I implemented Kerberos first I already had a machine account in Active Directory that was created by the msktutil utility. When I researched implementing ntlm_auth the documentation mentions joining the computer to AD using "net ads join". This was an issue because I already had the computer account and didn't want to hose anything that the Negotiate/Kerberos might use and researched how to use a pre-existing computer account in AD but could not find anything, so in the end I just ran it (which worked). However after I did this Negotiate/Kerberos was broken. I fixed it by resetting the computer account and running "msktutil --auto-update" to update the computer accounts password. NTLM still worked after this. I have a cron job setup to run "msktutil --auto-update" each day to update the computer account's password when required. Will these two mechanisms interfere with each other in future? i.e. is there anything that the msktutil --auto-update might break for the winbind ntlm_auth and visa versa - if this is a dumb question I apologise but my knowledge on this is limited. Also iTunes still prompts for a password but after input of the username and password it works - I presume this is the expected behaviour and that it shouldn't be seamless - is this the difference between Negotiate/NTLM and pure NTLM? Thanks James