Enable NTLM authentication

Kerberos authentication has one limitation - it works ONLY when machine and user account accessing proxy are joined to the domain. If proxy is accessed from non domain joined machine, Kerberos authentication will not be used. To overcome this limitation we also need to enable the NTLM authentication scheme on Squid proxy.

Current version of Web Safety contains the NTLM authenticator /opt/websafety/bin/wsauth that transparently redirects NTLM authentication requests and responses to designated domain controller(s). No additional configuration is needed on Squid box. The disadvantage of this approach is that all requests are directed to your domain controllers and this may lead to additional performance load on them.

In order to enable NTLM authentication on your appliance, navigate to Admin UI / Squid Proxy / Auth, select the Active Directory page and click on NTLM tab. Check Enable on the following screen and then Save Changes. The domain controllers to connect to are taken from Domain Information page described at the previous step.

Please note, to allow Internet Exporer to use NTLM authentication when connecting to Squid proxy from non domain joined Windows machine, Enable Integrated Windows Authentication setting must be checked as indicated below.