On 4/12/2015 11:14 p.m., Fabio Bucci wrote: > Hi All, > my task is implementing a squid proxy that allow all my authenticated > (windows AD) internal users to surf internet without any credential request > (pop-up). > > Plus, i created two squid nodes and put them behind a citrix netscaler in > order to perform a load balance service. > How does this LB device work exactly? when dealing with NTLM the specifics matter *a lot*. Some LB sniff the HTTP traffic then route them on a per-message basis. This is incompatible with both NTLM and Negotiate authentication, and can cause bad confusion between the browser and proxy randomly. Note that HTTP is a stateless protocol. So none of the browser, LB or proxy are broken when this is going on. It is those to auth schemes that are broken and incompatible with the designed statelessness feature of HTTP being used by the LB. > I configured squid with samba and ntlm helper in order to perform a > transparent authentication but sometimes some user report me their browsers > require authentication via pop-up. > > I'm not a deep expert about squid and i'd like to receive your help in > order to understand if my configuration is correct or not and if there is a > way to prevent popup. With HTTP authentication there should only ever be one popup no matter what type of authentication scheme is used. HTTP being stateless, requires that every single message has credentials attached (NTLM violates that and some browsers dont always re-send while the connection is alive; Squid accepts that, the LB may not). It is the browsers responsibility to remember the credentials that work and continue using them without annoying the user. There are some proxy configurations that allow for the proxy to force the Browser to change credentials. These can result in popups as that change happens. We will need to see your squid.conf to provide any specific help on that. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
