[squid-users] Prompt with NTLM authentication and load balancer

From: <[email protected]>
Date: Tue, 21 Mar 2006 10:41:30 -0600

Hello All,

Does anyone have experience with a problem in what appears to invovle a
load balancer, Squid, and NTLM where the browsers always prompt for
username & password and solved it already? What kind of problems could
there be when the only way to fix the browser always prompting for username
& password is removal of the profile's ntuser.dat file?

I have three squid servers on Gentoo Linux configured as the Internet Proxy
for approximately 2500 consumers with automatic negotiation via NTLM. The
client browsers are configured to point to an HA address that transparently
load shares between the three servers. The NTLM helpers are configured,
winbindd is running, samba works in the Active Directory domain. This
works for most of the consumers all the time, it's a beautiful thing with
one imperfection at the moment; there have been about 80 occurrences when
the automatic authentication in NTLM breaks down in the profile that
causes Internet Explorer to prompt for the username & password.

For /whatever/ reason in these profiles the automatic authentication breaks
down forcing the username & password prompt to display for some of the
profiles with every new instantiation of Internet Explorer. This
/whatever/ is in the Windows profile, if someone else uses the same
computer but uses a different account the automatic authentication works
fine for that account. The only way I've found to fix this problem where
the prompt always appears for the first get on the Internet is to delete
the ntuser.dat file. In limited tests, Firefox appears to work when that's
been available, but most people do not install Firefox. The number of
clients where this happens also increases given problems within the
network. We had a DNS outage and these break down events happened all over
the place.

Besides removing the ntuser.dat file, there's another way I've found to fix
the case where the prompts show all the time. That is to point the client
to one of the three squid servers and not go through the HA address on the
load balancer.

Mike
.
Received on Tue Mar 21 2006 - 09:41:38 MST

This archive was generated by hypermail pre-2.1.9 : Sat Apr 01 2006 - 12:00:04 MST