Mixing Local Users and Active Directory Authentication Schemes

We are trying to achieve the following scenario - some users within the network must be authenticated using Active Directory, but other users must be authenticated using Local Users Database. Is it possible?

Unfortunately, this is only partially possible. Why? Due to the limitations of the proxy authentication design. For example, consider the following scenario:

  1. Imagine you have successfully configured Microsoft Active Directory authentication scheme and everything seems to be working normally, your users are successfully authenticated and browse through the proxy without any additional pop-up boxes (SSO working normally).

  2. You now add the Local Users Database authentication thinking that some of your users will now be also authenticated by the login/password combination that you designated in the Admin UI / Squid / Authentication / Local Users.

Now let’s see what happens when a user needs to navigate to some URL.

  1. User opens the browser, types the URL in the address bar, presses Enter and the browser sends the request to proxy.

  2. Proxy tells him to authenticate, presenting the list of configured authentication schemes - Negotiate, NTLM, Basic. This behaviour of the proxies is specified in RFC.

  3. According to the same RFC, the browser always selects the strongest authentication scheme - in our case Negotiate. Now the browser needs to understand what creds to send to proxy.

    1. If browser runs under Active Directory user account, it looks at the list of Kerberos tickets (type klist in terminal console to see them), finds the one that matches the proxy and sends it; proxy authenticates the browser and user continues to browse normally without any additional pop-up boxes.

    2. If browser runs on non domain joined machine, as a local Windows user or even on Linux - the browser again needs to select the strongest secure scheme (i.e. Negotiate or NTLM), sees there are no Kerberos tickets present on the local machine and not knowing what to do shows the pop-up, expecting user to type the NTLM credentials.

    3. User, thinking that it is basic local users authentication, types the creds that admin entered in Admin UI / Squid / Authentication / Local Users. And those creds just do not work. Now we understand why.

So it possible to achieve our goal?

If you as administrator are able to tell the proxy somehow that the connecting user needs to be authenticated by local users database then yes, the local user authentication might work. For example, you might tell the proxy to authenticate all servers in the specific subnet using Local Users Database. But this might require some messing in the Admin UI and possibly in configuration templates of the product.

See also the article on Mix Authenticated and Non Authenticated Proxy Users.