Hi, Thanks. Actually spend time yesterday building a new machine from scratch and build build and associated components, because the kerberos behavior (keytab) did not seem right. My test box had been used for several squid test versions, and thus may have had a mixture of binaries.,,, Anyway, after the fresh install, kerberos "just worked"! - The logging to cache.log by the auth processes is as expected too. - tested with IE and Chrome on a Windows machine in the domain, kerberos did its job. Usernames are visible in the access log for example. Both of the following worked (for those who search this thread later.-) auth_param negotiate program /usr/local/squid/libexec/negotiate_wrapper_auth -i --kerberos /usr/local/squid/libexec/negotiate_kerberos_auth -s GSS_C_NO_NAME --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth -s GSS_C_NO_NAME On a windown machine *not* in the domain, access is denied (as expected), but the user is not prompted for a password. So I think ldap is needed too? Tested ldap alone, as follows. Works auth_param basic program /usr/local/squid/libexec/basic_ldap_auth -d -R -b "dc=mydomain,dc=net" -D myaccount@xxxxxxxxxxxx -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h ldap.mydomain.net -p 3268 Then re-enabled the kerberos with ldap after it. Kerberos works as before, but on the testPC not in the domain, entering the username/pw in the browser pop never allows access. I think kerberos is causing the popup (the ldap realm, for example), is not shown All the doc I found online just indicated adding one after the other. he auth_param doc (http://www.squid-cache.org/Doc/config/auth_param/) does not explain how the hand off between the authentication methods woorks. Any suggestions please? Sean ----------------------- Sep 11, 2012; 12:14am Markus Moeller wrote: Hi Sean, When I said client I meant the Windows client ( or do you have also Unix clients ?) On Windows you can install a tool called kerbtay which shows you the ticket you have. If you dont' see any ticket for HTTP/<squid-fqdn> you need to use a capture tool like wireshark and loot at the traffic on port 88 ( the kerberos authentictaion port). You should see TGS request from the client to AD and a TGS reply from AD with either the ticket or an error message. Let me know what error message you get as I assume you will have one. Markus
