I think the BCP (best current practice) is to use, in sequence: 1) negotiate_wrapper configured with kerberos and ntlm 2) pure ntlm with ntlm_auth 3) one basic auth of your choice
Inserting those three methods in sequence on your squid.conf will do the job. If you have problems with prompted auth, try inserting the user domain when authenticating, like "MYDOMAIN\myusername". I've found that Internet Explorer needs this.
