ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token'

When using authenticated squid is not possible use internet on Windows.
Every time I received a pop-up requiring username e password.
At the logs file there’s a message error:

ERROR: Negotiate Authentication validating user. Error returned ‘BH received type 1 NTLM token’

How could I resolv this insue.


Hi @antonioclj,

welcome to the NethServer Community.

Did you setup as DNS server like in the following thread (similar error) ?

If not please tell us some more about your config by posting the output of:

config show dns
config show sssd

Which Windows version and browser(s) do you use?
Do your clients use NethServer as DNS server?
Did you enter the NethServer FQDN in the proxy settings of your browser? There may be problems with using the IP address.

1 Like

Hi @mrmarkuz,



Windows XP and Windows 10 (Same message Error)

My clients are using NethServer as DNS.

I used IP, but I maked new test with FQDN and the same POP-UP.

The settings seem to be ok.

Which browser do you use?

I tested it now on Windows 10 with Firefox set to automatically detect proxy settings and it worked.

I entered just the username without domain and the password once and the box disappeared until I reopen the browser.

Google Chrome and Edge.


Is it right the squid time be different of the server time ?

I tried it with Edge and Chrome now and you have to deactivate “detect settings automatically” and set the proxy manually: (Sorry for my German Windows screenshot)


Yes, it’s GMT

Thanks @mrmarkuz

Only using IP works. (Appear the pop-up )

Finally Works. :smiley:

When I used the hostname of the server on proxy Win XP working. (Chrome and Opera).
The last version of Firefox not install on Win XP.

But the Edge browser change the hostname (Windows 10).


Suggestion ?

You may try to set it up via the “old” internet settings panel. You’ll find it in chrome proxy settings.

Well, Installed Firefox and Chrome (Windows 10). Firefox work (but I have problem with all links with annouce - youtube not play video). Chrome and Edge can’t work.

Opera and Firefox on Win XP works, but the same problem with the annouces.

Web Filter is disabled.

Trying to found the problem.

You just need to enter the FQDN without “http”:

Sites that use the 443 port are blocked.
The option block https is disabled.

Suggestion ?


Does browsing work normally? Because in case of authentification this is no bad error:

All requests which require authentication but do not provide it get a 407 or
401 response challenging the browser to provided some credentials. This is
true for all authentication types.

Sites that use https I have lag and trouble.
WinXP open https but I have trouble on some links.
Win10 the same sites can’t open (https).
Definetely I have problem with https.

Suggestions ?


Sorry, I could not reproduce the “ERR_TIMED_OUT”. The log files seems to be ok.

It tried it with Win 10 and XP now:

On WIn 10 Edge, Firefox and Chrome are working.

On Win XP only Firefox ESR works, the other browsers have problems with auth but I have to use old browser versions on XP because the newer ones are not supported anymore.

My settings:

Proxy (manually set, FQDN): proxy.domain.local
Turn off any proxy script autodetection function.

I have the same problem! I configured the proxy with squid and AD, authentication works on FIREFOX, however in IE and Chrome the message appears:

I put as fqdn and also with ip to test. Only in firefox it worked. What can it be?

Unfortunately I do not know what is happening. I have refactored the server again and it still gives the same error. If transparent mode is selected all sites work correctly but if authenticated mode is selected the sites are again blocked. Tested on Windows 10 and Windows XP. This config was used with AD mode enabled.

Hi @antonioclj and @Rodrigo_Vieira_da_Co,

please try to open different browsers and login more often. I had some problems immediately after activating auth proxy on a Win 7 machine but I opened another browser, logged in and it worked.
It seems like Opera, Chrome and MS Browsers (IE, edge) use the same proxy config of Windows internet options. Firefox can use an own proxy setting. Use FQDN in proxy settings and check that DNS is fast on your proxy. Clients should use NethServer as DHCP and DNS.

Use dig to check DNS response.

You may open a terminal and watch the log live with tail -f /var/log/cache.log. This is also possible in web UI with log viewer. You should see a working auth after some errors:

2018/04/01 03:16:12 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2018/04/01 03:16:51| negotiate_kerberos_auth: INFO: User markus@AD.CMB.LOCAL authenticated
1 Like

Thanks, @mrmarkuz!
I will test!

1 Like

@antonioclj @Rodrigo_Vieira_da_Co

There’s a howto that covers auth proxy…