On Tue, 25 Jan 2011 19:25:33 +0530, Senthilkumar wrote:
> Hi Amos,
>
> I have followed the suggestions provided by you and if use deny without
> "all" i am getting pop up when i access denied sites, it is suppressed
> when i use all.
> We use ntlm scheme to authenticate with domain users, all users can
> authenticate without any prompt, while browsing out of 350 users only
> 5-6 users getting prompt rarely(around 2-3 times a day)
> There is no specific website or time the prompt appears. Please suggest
> some troubleshooting ideas and cause for it.
> The cache.log does not show any errors
I'm not sure exactly which deny line you are describing as producing a
popup. The config below looks right. Where you deny based on group lookups
the lines should end with "all", as you saw not having it there produces
the popup.
NTLM can suffer from a few issues on connections and some bugs in Squid.
Though both of these problems have been worked on and reduced in newer
releases.
If one of the "allow" group lookups is somehow failing this may produce a
popup.
I am not sure how one would check for these in production environment. The
things to watch out for are the HTTP auth headers for the request before
during and after the prompt appears. Whether this is happening on a
connection while it stays up, or if the connection drops out on the
challenge. Whether it happened on a new connection using some non-NTLM auth
(ie a Windows 7 machine trying an unexpected encryption, or some background
application with the wrong keys).
Amos
Received on Wed Jan 26 2011 - 01:50:03 MST
This archive was generated by hypermail 2.2.0 : Mon Jan 31 2011 - 12:00:04 MST