AD Integration to Pfsense (With NTLM Authentication)

  • Hi,

    I'm trying to setup a Pfsense firewall and Squid proxy server with Windows Active Directory integration (ntlm authentication). Can somebody point me to a proper documentation where it explains all the steps required to authenticate users against Windows AD and what kind of security permissions should be allowed from AD to complete the bind process. When we do testing, some windows server versions allow binding with pfsense server whereas some servers does not allow.

    I hope to configure acls (ACL) based on domain user groups. I followed steps given in the link (, but it does not work at all. Just after getting authenticated, it allows users to browse internet regardless of group acl configuration in SquidGuard Proxy Filter.

    Thanks in advance,


  • I never tried to implement NTLM but, thinking about this, I wonder how this works.
    Authentication is pretty clear but then how would you get the group membership information relying on NTLM?

    As you have AD as a back-end, why don't you use LDAP protocol which will bring both authentication and group membership?

  • Thank you very much. When I search through the forum, I observed that there are so many posts relating to squid to LDAP integration without answers. I really appreciate if you can point me to a how to documentation or tutorial on the net.

    When using ntlm authentication, we can use winbind to get group membership details. But it doesn't work with SquidGuard ACLs.

  • Winbind will, somehow, encapsulate LDAP requests, although with some side effects (due to caching if I understand well) especially with group membership.

    This said, rather than looking for "how to", why not explaining more in detail what works and what doesn't in your configuration?
    I believe it will be much more efficient than asking for yet another documentation that you will follow but which may not fix issue you're facing.