I ran some additional tests with ntlm_auth ntlm_auth --username works ntlm_auth --helper-protocol=squid-2.5-ntlmssp
yields BH SPNEGO request invalid prefix Thanks, Keith -----Original Message----- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, October 26, 2015 4:24 PM To: Keith White <keith.wh...@emdmillipore.com>; squid-users@lists.squid-cache.org Subject: Re: [squid-users] Squid/NTLM Auth On 24/10/2015 1:44 a.m., Keith White wrote: > I changed around the DNS servers and still no luck. This also popped > up in the log > > Acl.cc(70) AuthenticateAcl: returning 2 sending credentials to helper. > 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked: > AuthorizedUsers = -1 async > 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked: > http_access#3 = -1 async > 2015/10/23 05:41:35.259 kid1| 28,3| Acl.cc(158) matches: checked: > http_access = -1 async > 2015/10/23 05:41:35.259 kid1| ERROR: NTLM Authentication validating > user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL > NT_STATUS_UNSUCCESSFUL; }} > 2015/10/23 05:41:35.260 kid1| 29,5| UserRequest.cc(73) valid: Validated. > Auth::UserRequest '0x12c1f10'. > IIRC that BH response happens when the helper gets a type-3 token without having been part of the handshake dance that led up to it. The helpers are stateful and the same one needs to be part of the whole handshake. That can happen if the connection is closed for some reasons after the type-2 token is sent, and the client is brokenly continuing on a new connection (Firefox is known to do that, others might too). The connection is allowed to close after the initial 407 challenge. Some clients are broken and require that to happen - which is where the "auth_param ntlm keep_alive off" setting helps. But not once the type-2 token is sent on the second 407. Squid should be enforcing a persistent TCP connection from then onwards. The nextstep is to look at either the HTTP messages or the TCP packet level to find out what (if anything) is closing the connection between the type-2 and type-3 token messages thats probably your problem. Amos This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you must not copy this message or attachment or disclose the contents to any other person. If you have received this transmission in error, please notify the sender immediately and delete the message and any attachment from your system. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept liability for any omissions or errors in this message which may arise as a result of E-Mail-transmission or for damages resulting from any unauthorized changes of the content of this message and any attachment thereto. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not guarantee that this message is free of viruses and does not accept liability for any damages caused by any virus transmitted therewith. Click http://www.merckgroup.com/disclaimer to access the German, French, Spanish and Portuguese versions of this disclaimer. _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users