Step 6. Enable NTLM authentication on Squid¶
Kerberos authentication has one limitation - it works ONLY when machine and user account accessing proxy are joined to the domain. If proxy is accessed from non domain joined machine, Kerberos authentication will not be used. To overcome this limitation we also need to enable the NTLM authentication scheme on Squid proxy.
Prior to version 4.6 of Web Safety NTLM authentication was not described in the docs. It was possible to setup one with use of Squid wiki at http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory. Unfortunately this requires installation of Samba package and joining the squid machine to the domain. This has many limitations including overall complexity of Samba package, inability to use operating system snapshots if Squid is deployed in virtual machine (AD registration of a proxy box within a snapshot expires in 30 days and requires manual rejoin to the AD) and additional management efforts.
Current version of Web Safety contains the NTLM authenticator
/opt/websafety/bin/wsauth that transparently redirects NTLM authentication requests and responses to designated domain controller(s). No additional configuration is needed on Squid box. The disadvantage of this approach is that all requests are directed to your domain controllers and this may lead to additional performance load on them.
In order to enable NTLM authentication on your Proxy box, navigate to UI / Squid / Auth / Active Directory, select the NTLM tab and check Enable on the following screen and then Save Changes. The domain controllers to connect to are taken from Domain Information page described at the previous Step 4. Link to Active Directory domain.
Please note, to allow Internet Exporer to use NTLM authentication when connecting to Squid proxy from non domain joined Windows machine, Enable Integrated Windows Authentication setting must be checked as indicated below.