64 bytes from dc1.example.local (192.168.0.1): icmp_req=1 ttl=64 time=0.028 ms 64 bytes from dc1.example.local (192.168.0.1): icmp_req=2 ttl=64 time=0.017 ms 64 bytes from dc1.example.local (192.168.0.1): icmp_req=3 ttl=64 time=0.013 ms 64 bytes from dc1.example.local (192.168.0.1): icmp_req=4 ttl=64 time=0.009 ms --- dc1.example.local ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2997ms rtt min/avg/max/mdev = 0.009/0.016/0.028/0.008 ms PING (184.108.40.206) 56(84) bytes of data.64 bytes from syd01s13-in-f20.1e100(220.127.116.11): icmp_req=1 ttl=55 time=40.4 ms 64 bytes from syd01s13-in-f20.1e100(18.104.22.168): icmp_req=2 ttl=55 time=42.2 ms 64 bytes from syd01s13-in-f20.1e100(22.214.171.124): icmp_req=3 ttl=55 time=41.2 ms 64 bytes from syd01s13-in-f20.1e100(126.96.36.199): icmp_req=4 ttl=55 time=42.0 ms --- ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3003ms rtt min/avg/max/mdev = 40.497/41.511/42.248/0.685 ms remote refid st t when poll reach delay offset jitter ============================================================================== dc1.. 1 u 32 1024 377 0.463 1.874 9.718 dc188.8.131.52.2 2 u 202 1024 377 1.032 -20.487 9.975 -ns2.a 184.108.40.206 3 u 200 1024 377 31.844 6.543 6.526 +pond.220.127.116.11 2 u 321 1024 377 68.729 -3.529 4.643 +fw18.104.22.168.50 2 u 528 1024 377 30.292 -0.139 27.056 +cachens1.onqnet 22.214.171.124 2 u 197 1024 377 35.697 0.116 4.991 +ppp154-81.stati 126.96.36.199 3 u 542 1024 377 51.958 0.785 52.403 *warrane.connect 1.80 2 u 264 1024 377 15.539 0.921 4.655 dns_lookup_kdc = no dns_lookup_realm = no ticket_lifetime = 24h default_keytab_name = /etc/squid3/PROXY.keytab ; for Windows 2003 default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES ; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [realms] The Proxy uses 3 methods to authenticate clients, Negotiate/Kerberos, Negotiate/NTLM and basic authentication.Please read Negotiate Authentication and LDAP authentication on the squid wiki.
A problem also exists in the order in which the authentication helpers are used, one example is when using IE on a non-domain computer it will fail to negotiate kerberos and will not failover to NTLM or basic authentication, this is regardless of the order in which the helpers are provided.
Meaning the user will endlessly receive a popup window requesting authentication.
See this link and this link for further information.
This document covers setup of a Squid Proxy which will seamlessly integrate with Active Directory using Kerberos, NTLM and basic authentication for clients not authenticated via Kerberos or NTLM.
Authorisation to use the internet is managed by Security Groups in Active Directory by means of LDAP lookup.
It is capable of using block and allow lists for site access and restrictions and an optional monitoring section that uses Cyfin Reporter for proxy monitoring.
This guide is an expansion and update to a guide I submitted on Howto Forge and contains some fixes to issues discovered and amendments to incorrect information.
I want to take the opportunity at the start of the guide to thank the Squid developers and the support I received on the mailing list in getting this guide completed. For this guide the following examples are utilised - you should update any Most situations will require the proxy to be set up as Debian 6 virtual machine and this guide assumes the use of Debian, Our typical deployment is around 50 users, in this situation the following specifications are required.
Client Windows Computers need to have "Enable Integrated Windows Authentication" ticked in Internet Options ⇒ Advanced settings.
On the Windows DNS server add a new A record entry for the proxy server's hostname and ensure a corresponding PTR (reverse DNS) entry is also created and works.
Check that the proxy is using the Windows DNS Server for name resolution and update PING dc1.example.local (192.168.0.1) 56(84) bytes of data.