Re: [squid-users] Too many TCP_DENIED/407 when using Kerberos authentication

From: Amos Jeffries <>
Date: Tue, 01 Oct 2013 20:12:10 +1300

On 1/10/2013 8:25 a.m., Ron Wheeler wrote:
> Yes
> Yes
> Nothing?

Er. That should be: "yes. no. upgrade?"

NTLM will only succeed on the *third* attempt. So some 60% of requests
get DENIED. Usually on the pattern that two connections are used - the
first only gets a DENIED then closed, the second gets DENIED then success.

We are continuously improving Squid and there have been many NTLM fixes
since 3.1 series and a few in Kerberos handling as well. So upgrading to
the latest stable will possibly improve things a little bit for the
problems not yet noticed even though the described behaviour is expected.

> I think that the problem comes from the fact that the browser has no
> idea about what the authentication will be (if any) when it first
> makes the request.
> Once the server says "Whoa, Why should I let you in?", the browser
> knows that it needs to engage in an authentication process.

Exactly so. Good description BTW.

> I could be wrong but I am sure that a quick Google will get you a full
> description of the process.
> Ron

Received on Tue Oct 01 2013 - 07:12:20 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 01 2013 - 12:00:04 MDT