On Fri, 16 Apr 2004 Jim_Brouse/PYT@PASCUAYAQUITRIBE.ORG wrote:

> I have squid configured with NTLM auth and in the squid logs with squid in
> debug mode in cache.log squid first reports DENIED access to a site because
> they are a member of AuthorizedUsers and then it says it is ALLOWED because
> they are a member or AuthorizedUsers group so my question is why does Squid
> first deny it and then after it says ALLOWED.

Because at first the user is not authenticated, so he is denied by Squid
asking the browser to try again with the proper login credentials.

Much of this chatting is due to the fundamental design errors of Microsoft
NTLM over HTTP authentication. NTLM over HTTP (and also Negotiate over
HTTP) is a connection oriented authentication protocol, not a HTTP
authentication protocol. As such it has some bad interactions with
HTTP and performs rather badly.

Unfortunately not much to do about as you are limited by what Microsoft
implements in their browsers.