Hi all, I'm having considerable trouble getting Squid to work well with NTLM/Kerberos and was hoping someone here would be able to help. My ultimate goal is to be able to connect to an IIS server through Squid using a computer that is not a member of the AD domain. I would like to enter my credentials once to the proxy, and then have Squid save the authentication token in order to use it against other servers that require authentication. The problem I'm facing is that no matter what I've tried, I'm forced to authenticate manually six times while loading sites requiring authentication. This is much worse than the behavior prior to adding Squid. First, is it possible for Squid to cache the credentials and then authenticate on behalf of the client to an upstream server? If this isn't the best way to go about doing this, what would you suggest? Second, what could be the problem with my configuration? I'm running Squid 3.1.10. Thanks in advance! Here is my current config: http_port 80 accel defaultsite=webservername connection-auth=on cache_peer x.x.x.x parent 80 0 no-query login=PASS originserver connection-auth=on name=serv auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 10 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Domain Proxy Server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl auth proxy_auth REQUIRED http_access allow auth http_access deny all acl our_sites dstdomain webservername proxy_auth REQUIRED client_persistent_connections on server_persistent_connections on debug_options ALL,2 http_access allow our_sites cache_peer_access serv allow our_sites cache_peer_access serv deny all If it helps, here is part of the cache.log file with debug level 2 applied. When I request the website throught the proxy, there is an initial 5 second delay that is not present when accessing the site directly. Then I get the following: [2012/05/14 22:32:00.549309, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xa2088207 2012/05/14 22:32:05.555| AuthNTLMUserRequest::authenticate: need to challenge client 'Tl...AA'! 2012/05/14 22:32:05.556| The request GET http://webservername/testsite/ is DENIED, because it matched 'auth' 2012/05/14 22:32:05.556| The reply for GET http://webservername/testsite/ is ALLOWED, because it matched 'auth' [2012/05/14 22:32:05.560165, 3] libsmb/ntlmssp.c:747(ntlmssp_server_auth) Got user=[me] domain=[DOMAIN] workstation=[WKS_NAME] len1=24 len2=24 [2012/05/14 22:32:05.565952, 3] libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init) NTLMSSP Sign/Seal - Initialising with flags: [2012/05/14 22:32:05.566021, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xa2088205 2012/05/14 22:32:05.566| The request GET http://webservername/testsite/ is ALLOWED, because it matched 'auth' 2012/05/14 22:32:05.566| client_side_request.cc(547) clientAccessCheck2: No adapted_http_access configuration. 2012/05/14 22:32:05.566| The request GET http://webservername/testsite/ is ALLOWED, because it matched 'auth' 2012/05/14 22:32:05.578| The reply for GET http://webservername/testsite/ is ALLOWED, because it matched 'our_sites' ## After authenticating, I get this, followed by a few more authentications and a lot more http requests: 2012/05/14 22:33:09.880| connReadWasError: FD 12: got flag -1 2012/05/14 22:33:09.880| ConnStateData::swanSong: FD 12 [2012/05/14 22:33:09.884534, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xa2088207 2012/05/14 22:33:14.891| AuthNTLMUserRequest::authenticate: need to challenge client 'Tl...AA'! 2012/05/14 22:33:14.891| The request GET http://webservername/testsite/ is DENIED, because it matched 'auth' 2012/05/14 22:33:14.891| The reply for GET http://webservername/testsite/ is ALLOWED, because it matched 'auth' [2012/05/14 22:33:14.894114, 3] libsmb/ntlmssp.c:747(ntlmssp_server_auth) Got user=[me] domain=[DOMAIN] workstation=[WKS_NAME] len1=24 len2=24 [2012/05/14 22:33:14.899355, 3] libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init) NTLMSSP Sign/Seal - Initialising with flags: [2012/05/14 22:33:14.899521, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xa2088205 2012/05/14 22:33:14.899| The request GET http://webservername/testsite/ is ALLOWED, because it matched 'auth' 2012/05/14 22:33:14.899| client_side_request.cc(547) clientAccessCheck2: No adapted_http_access configuration. 2012/05/14 22:33:14.899| The request GET http://webservername/testsite/ is ALLOWED, because it matched 'auth' -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-not-keeping-authenticated-NTLM-session-open-tp4633944.html Sent from the Squid - Users mailing list archive at Nabble.com.