http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.14Version 2.5 will support Microsoft NTLM authentication. However, there are some limits on our support: We cannot proxy connections to a origin server that use NTLM authentication, but we can act as a web accelerator or proxy server and authenticate the client connection using NTLM.We support NT4, Samba, and Windows 2000 Domain Controllers. For more information see winbind .Why we cannot proxy NTLM even though we can use it. Quoting from summary at the end of the browser authentication section in this article: In summary, Basic authentication does not require an implicit end-to-end state, and can therefore be used through a proxy server. Windows NT Challenge/Response authentication requires implicit end-to-end state and will not work through a proxy server. Squid transparently passes the NTLM request and response headers between clients and servers. NTLM relies on a single end-end connection (possibly with men-in-the-middle, but a single connection every step of the way. This implies that for NTLM authentication to work at all with proxy caches, the proxy would need to tightly link the client-proxy and proxy-server links, as well as understand the state of the link at any one time. NTLM through a CONNECT might work, but we as far as we know that hasn't been implemented by anyone, and it would prevent the pages being cached - removing the value of the proxy.NTLM authentication is carried entirely inside the HTTP protocol, but is not a true HTTP authentication protocol and is different from Basic and Digest authentication in many ways.It is dependent on a stateful end-to-end connection which collides with RFC 2616 for proxy-servers to disjoin the client-proxy and proxy-server connections. It is only taking place once per connection, not per request. Once the connection is authenticated then all future requests on the same connection inherities the authentication. The connection must be reestablished to set up other authentication or re-identify the user. This too collides with RFC 2616 where authentication is defined as a property of the HTTP messages, not connections. The reasons why it is not implemented in Netscape is probably:It is very specific for the Windows platform It is not defined in any RFC or even internet draft. The protocol has several shortcomings, where the most apparent one is that it cannot be proxied. There exists an open internet standard which does mostly the same but without the shortcomings or platform dependencies: digest authentication.