diff --git a/src/auth/negotiate/kerberos/negotiate_external_acl b/src/auth/negotiate/kerberos/negotiate_external_acl
new file mode 100755
index 0000000000..e76308da76
--- /dev/null
+++ b/src/auth/negotiate/kerberos/negotiate_external_acl
@@ -0,0 +1,63 @@
+#!/bin/bash
+#
+# This external  acl helper checks the Kerberos group information without
+# continues ldap queries by leveraging the kerbors ticket group information
+# i.e. PAC field
+#
+# It requires only during startup aldap  query to get the SID for the group name.
+#
+# Squid config lines:
+# auth_param negotiate program /opt/squid/sbin/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain SAMBA.HOME --kerberos /opt/squid/sbin/negotiate_kerberos_auth -d -s GSS_C_NO_NAME -k /etc/squid/squid.keytab -t none
+# external_acl_type test_acl ipv4 %LOGIN %note{group} /opt/squid/sbin/negotiate_external_acl
+# acl squid_allow external test_acl
+#
+# GET SID for Group
+#
+# Please change sample values with real valuse
+#
+if [ -z "$KRB5_KTNAME" ]; then
+   export KTNAME="/etc/krb5.keytab"
+else
+   export KTNAME=$KRB5_KTNAME
+fi
+export PRINCIPAL="HTTP/opensus42.suse.home"
+export DC="dc1.samba.home"
+export KRB5CCNAME="/tmp/squid_krb5cc"
+export GROUPNAME="SQUID_ALLOW"
+export BASEDN="DC=samba,DC=home"
+#
+#
+#
+
+kinit -kt $KTNAME $PRINCIPAL
+SID=`ldapsearch -LLL -Ygssapi -H ldap://$DC:389 -s sub -b "BASEDN" "(CN=$GROUPNAME)" objectsid 2>&1 | awk '{ if ( $0 ~/^object/ ) print $2}'`
+
+(>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| negotiate_external_acl: SID=$SID")
+
+#
+# Loop over input
+#
+while [ 1 == 1 ] ; do
+  read input
+  found=0
+  user=`echo $input | awk '{ print $1 }'`
+  groups=`echo $input | awk '{ print $2 }'`
+  (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| negotiate_external_acl: user=$user")
+  (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| negotiate_external_acl: groups=$groups")
+  if [ -n "$groups" ]; then
+    while read group; do
+      if [ "$group" == "$SID" ]; then
+        (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| negotiate_external_acl: matched group: $group")
+        found=1
+        echo "OK"
+      fi
+    done <<< "$(echo $groups | tr , "\n" )"
+    if [ $found -eq 0 ]; then
+      echo "ERR"
+    fi
+  else
+    if [ $found -eq 0 ]; then
+      echo "ERR"
+    fi
+  fi
+done
diff --git a/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc b/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc
index 5a3c382ca2..74b7eda028 100644
--- a/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc
+++ b/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc
@@ -737,7 +737,7 @@ main(int argc, char *const argv[])
                 goto cleanup;
             if (major_status & GSS_S_CONTINUE_NEEDED) {
                 debug((char *) "%s| %s: INFO: continuation needed\n", LogTime(), PROGRAM);
-                fprintf(stdout, "TT %s\n", token);
+                fprintf(stdout, "TT token=%s\n", token);
                 goto cleanup;
             }
             gss_release_buffer(&minor_status, &output_token);
@@ -794,11 +794,11 @@ main(int argc, char *const argv[])
 #endif
             rfc_user = rfc1738_escape(user);
 #if HAVE_PAC_SUPPORT
-            fprintf(stdout, "AF %s %s %s\n", token, rfc_user, ag?ag:"group=");
+            fprintf(stdout, "OK token=%s user=%s %s\n", token, rfc_user, ag?ag:"group=");
 #else
-            fprintf(stdout, "AF %s %s\n", token, rfc_user);
+            fprintf(stdout, "OK token=%s user=%s\n", token, rfc_user);
 #endif
-            debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, token, rfc_user);
+            debug((char *) "%s| %s: DEBUG: OK token=%s user=%s\n", LogTime(), PROGRAM, token, rfc_user);
             if (log)
                 fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(),
                         PROGRAM, rfc_user);
@@ -808,7 +808,7 @@ main(int argc, char *const argv[])
                 goto cleanup;
             if (major_status & GSS_S_CONTINUE_NEEDED) {
                 debug((char *) "%s| %s: INFO: continuation needed\n", LogTime(), PROGRAM);
-                fprintf(stdout, "NA %s\n", token);
+                fprintf(stdout, "ERR token=%s\n", token);
                 goto cleanup;
             }
             gss_release_buffer(&minor_status, &output_token);
@@ -834,11 +834,11 @@ main(int argc, char *const argv[])
             }
             rfc_user = rfc1738_escape(user);
 #if HAVE_PAC_SUPPORT
-            fprintf(stdout, "AF %s %s %s\n", "AA==", rfc_user, ag?ag:"group=");
+            fprintf(stdout, "OK token=%s user=%s %s\n", "AA==", rfc_user, ag?ag:"group=");
 #else
-            fprintf(stdout, "AF %s %s\n", "AA==", rfc_user);
+            fprintf(stdout, "OK token=%s user=%s\n", "AA==", rfc_user);
 #endif
-            debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, "AA==", rfc_user);
+            debug((char *) "%s| %s: DEBUG: OK token=%s user=%s\n", LogTime(), PROGRAM, "AA==", rfc_user);
             if (log)
                 fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(),
                         PROGRAM, rfc_user);