That's what (I think) I tried:
auth_param negotiate program /usr/local/bin/squid_kerb_auth -d -s
HTTP/squidserver.bnpapeis.local
auth_param negotiate children 5
auth_param negotiate keep_alive on
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl users proxy_auth REQUIRED
http_access allow users
All authentication mechanisms work when only one is used. I also tried
to inform DOMAIN\user in Internet Explorer and Firefox.
Em 15/05/2013 14:31, Carlos Defoe escreveu:
I think the BCP (best current practice) is to use, in sequence:
1) negotiate_wrapper configured with kerberos and ntlm
2) pure ntlm with ntlm_auth
3) one basic auth of your choice
Inserting those three methods in sequence on your squid.conf will do the job.
If you have problems with prompted auth, try inserting the user domain
when authenticating, like "MYDOMAIN\myusername". I've found that
Internet Explorer needs this.
