KB 2793: Kerberos/NTLM authentication failover

Published December 20, 2023

Perform NTLM authentication when Kerberos authentication is not possible.


In certain contexts, it may be necessary to activate Kerberos/NTLM authentication fail-over. For example, some applications that are unable to respond to a Kerberos challenge may not be able to access the Internet unless they are offered an alternative method.


1. Select Kerberos authentication in Advanced Proxy>HTTP>Configuration>Authentication

2. Add the lines below for NTLM in Advanced Proxy>HTTP>Configuration>Advanced configuration>Before authentication

auth_param ntlm program /usr/bin/ntlm_auth -helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 100 on-persistent-overload=ERR
auth_param ntlm keep_alive off

For example, if an application is unable to respond to a Kerberos challenge, it can switch to NTLM. The browser will then display an authentication window to allow a user from a non-domain workstation to authenticate.

This gives :

An update may comment on its lines, so we recommend that you consult this menu after each update and, if necessary, uncomment them.


Proxy behavior without NTLM failover :

The proposed authentication mode is "Negotiate" (Kerberos), there is no other alternative.

Proxy behavior with NTLM failover :

This time, the proxy offers Negotiate (Kerberos) and NTLM.

Articles on Kerberos and NTLM authentication can be found in the :

NTLM authentication here
Kerberos authentication here