I wanted to be able to transparently proxy Windows Integrated Authentication. I made a small change to squid that seems to let it work. I altered the hash key used for the persistent server connection list so it includes the IP and port of the client, as well as the host name and port of the origin server. So when a lookup is done for an idle file descriptor to use to connect to an origin server, only a FD that has previously been used for a connection from the same client port will be used. Before I made this change, in my test setup using IIS with Integrated Windows Authentication, I was getting multiple popups while trying to use Outlook Web Access and also my test web server. After making the change, I got only one popup per session as hoped.
I don't understand why this seems to work, as the documentation, including from Microsoft says that the authentication method requires end-to-end HTTP state, and this change is not sufficient to guarantee that. Perhaps others could try this and report on what they find. Contact me directly for the source code I used. Gary Price Intelligent Compression Technologies
