I am new to Squid proxy and need help in setting up NTLM authentication. I checked so many resources on the web but did not find exact steps to get my work done Since I have no background on proxy/networking configurations, I am not able to figure out where I am missing. I need this for some testing purpose.


I have, two machines Machine 1: Windows Server 2012R2 on which Squid proxy server 2.6 is deployed. This machine has Active directory domain configured (domain1.com). domain1.com has user-1 and user-2 users.

Machine 2: Is a part of domain1.com. Machine 1 acts as a proxy for Machine 2 (Manual proxy set on Machine2s Internet explorer). Windows Integrated Authentication is turned ON in Internet Explorer menu.

I am trying to access google.com from Machine 2, IE prompts for authentication. I am providing user-1 credentials here. However, the request is not getting succeeded. Authentication prompt is appearing again and again.


auth_param ntlm program C:/squid/libexec/mswin_ntlm_auth.exe --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on
acl all src
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl localnet src # RFC1918 possible internal network
acl localnet src  # RFC1918 possible internal network
acl localnet src # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http

acl KnownUsers proxy_auth REQUIRED

http_access allow KnownUsers
http_access allow manager localhost
http_access allow manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all


1528144397.050     24 XX.XX.XXX.XXX TCP_DENIED/407 2151 CONNECT www.google.co.in:443 - NONE/- text/html
1528144397.056      5 XX.XX.XXX.XXX TCP_DENIED/407 1817 CONNECT www.google.co.in:443 - NONE/- text/html

Can someone please let me know what I am missing?

1 Answers1


add the following lines it might work after this

auth_param basic program /usr/lib/squid/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5 startup=5 idle=1
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hour
auth_param basic casesensitive off
  • 1,060
  • 3
  • 10
  • 14
  • I need to enable NTLM authentication. Will this solution do that? I tried this though, its not working. – amit joshi Jun 04 '18 at 09:25
  • Can I see your active directory logs? you can see it in eventlog – Bilal Ali Jafri Jun 04 '18 at 09:26
  • I dont see anything weired in eventviewer logs. access.log contains same 407 TCP_DENIED erros. Is there anything else required apart from the steps which I did as a part of setup for NTLM ? – amit joshi Jun 04 '18 at 09:38