Re: AuthConfig::CreateAuthUser: Unsupported or unconfigured/inactive proxy-auth scheme, 'NTLM..'

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On 17/08/2012 1:20 p.m., Julie Xu wrote:
> Hi Amos
>
> Great thanks for the reply.
>
> I have two servers and one has not this error messages and one has. Both configuration is same:
>
> Server1# grep ntlm squid.conf
> #       protocol. See helpers/ntlm_auth/ for details. Recommended ntlm
> #       authenticator is ntlm_auth from Samba-3.X, but a number of other
> #       ntlm authenticators is available.
> #       By default, the ntlm authentication scheme is not used unless a
> #       auth_param ntlm program /path/to/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> #       auth_param ntlm children 5
> #       auth_param ntlm keep_alive on
> #       client and reads commands according to the Squid ntlmssp helper
> #       protocol. See helpers/ntlm_auth/ for details. Recommended SPNEGO
> #       authenticator is ntlm_auth from Samba-4.X.
> #       auth_param negotiate program /path/to/samba/bin/ntlm_auth --helper-protocol=gss-spnego
> #auth_param ntlm program <uncomment and complete this line to activate>
> #auth_param ntlm children 5
> #auth_param ntlm keep_alive on
> #
>
> Server2# grep ntlm squid.conf
> #       protocol. See helpers/ntlm_auth/ for details. Recommended ntlm
> #       authenticator is ntlm_auth from Samba-3.X, but a number of other
> #       ntlm authenticators is available.
> #       By default, the ntlm authentication scheme is not used unless a
> #       auth_param ntlm program /path/to/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> #       auth_param ntlm children 5
> #       auth_param ntlm keep_alive on
> #       client and reads commands according to the Squid ntlmssp helper
> #       protocol. See helpers/ntlm_auth/ for details. Recommended SPNEGO
> #       authenticator is ntlm_auth from Samba-4.X.
> #       auth_param negotiate program /path/to/samba/bin/ntlm_auth --helper-protocol=gss-spnego
> #auth_param ntlm program <uncomment and complete this line to activate>
> #auth_param ntlm children 5
> #auth_param ntlm keep_alive on
> #
>
> I guess there must be something else need configure. Please advice

Please read that text above. All lines beginning with # are 
documentation, so I see there are nothing actually configured.

But for some reason your clients of one server are sending their NTLM 
credentials without being told by the proxy that the NTLM protocol is in 
use. That is bad security on their part. Check for "single sign on" 
setting in the clients.

Amos