Amos, Thank you for the reply. Sorry I meant 3.0 STABLE 19. The Zimbra Desktop client connects via port 443 and I have the standard ACL; http_access deny !Safe_ports http_access deny !SSL_ports however when I change the ACL to (very insecure) http_access allow CONNECT (without the exception of !SSL_ports) the zimbra client connects... no too sure if my ACL is incorrect or if a need to add additional ports in the ACL however according to Zimbra 443 is the only one required. I ran wireshark trace I can confirm that the proxy offers all configured authentication schemes and the client responds with a Kerberos ticket. -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: 08 March 2012 01:55 PM To: squid-users@xxxxxxxxxxxxxxx Subject: Re: Kerberos TCP/DENIED 407 On 8/03/2012 9:17 p.m., JC Putter wrote: > Hi > > I followed > http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveD > irectory > > I can see the cache.log the the client is authenticating with a Kerberos ticket however for every connection get a TCP/DENIED 407 and then the connection is made. Is this not what NTLM does? I thought that with Kerberos this does not happen? One 407 is normal for all HTTP authentications. NTLM requires two. > I have a very strange issue we are using Zimbra Desktop client and with the proxy settings the Zimbra Desktop client fails to connect.. > > TCP_DENIED/407 2173 CONNECT cluster01.zimbra.com:443 - NONE/- > text/html > > but all the other browsers (IE,FF,Chrome) everything works but the log is full of TCP/DENIED 407. > > Any help should be appreciated > > SQUID3 Stable19 > I assume you mean 3.1.19 and not 3.0.STABLE19 ? CONNECT + auth should not have been a problem since 3.1.15. Is that desktop client app sending the credentials ticket? Amos
