Squid

Why does the browser require authentication on the Squid3 proxy server when logging in?

Why does the browser require authentication on the Squid3 proxy server when logging in?
Good afternoon.
Authentication takes place on squid3 3.4.8. on debian 8.10 via kerberos protocol.
Based on https://interface31.ru/tech_it/2015/06/nastraivaem... the second and third parts.
cat /etc/squid3/squid.conf

cache_log /var/log/squid/cache.log

# Авторизация через AD
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/sqnew.domain.local
auth_param negotiate children 20
auth_param negotiate keep_alive on
external_acl_type SQ_FULL ttl=300 negative_ttl=60 %LOGIN /usr/lib/squid3/ext_kerberos_ldap_group_acl -g [email protected]
external_acl_type SQ_MIDUSER ttl=300 negative_ttl=60 %LOGIN /usr/lib/squid3/ext_kerberos_ldap_group_acl -g [email protected]

# Стандартные порты
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

# Белый и черный список пока не настроен
# acl white_list url_regex -i "/etc/squid3/white_list"
# acl black_list url_regex -i "/etc/squid3/black_list"

# Определяем группы доступа в AD группы есть, пользователь включён
acl SQ_FULL external SQ_FULL
acl SQ_MIDUSER external SQ_MIDUSER

# Перечень сетей
acl all src all
# acl our_networks src 192.168.102.0/24
acl localnet src 10.0.0.0/8     # RFC 1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC 1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

# Авторизация требуется ОБЯЗАТЕЛЬНО, без нее никого не пускать
acl auth proxy_auth REQUIRED

# Стандартные разрешения
#http_access deny !Safe_ports
#http_access allow localhost manager
#http_access deny manager
#http_access allow auth

# Права доступа для наших групп пользователей
http_access allow SQ_FULL
http_access allow SQ_MIDUSER

# Разрешаем локалхост
http_access allow localhost

# Порты прокси-сервера
http_port 172.19.252.81:3128

# Выделяем 1Гб памяти для прокси
cache_mem 1024 MB

# Выделяем место на жестком диске для хранения файлов кэша
cache_dir ufs /var/spool/squid3 100 16 256

# Куда и в каком объеме будем писать логи
access_log /var/log/squid3/access.log
logfile_rotate 100
coredump_dir /var/spool/squid3

# Настройки кэширования
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$    3600    90%     43200
refresh_pattern .               0       20%     4320

# Включаем русский язык для сообщений сервера
error_directory /usr/share/squid3/errors/Russian-1251
error_default_language ru

# Принудительно задаем желаемый DNS-сервер
dns_nameservers 172.19.252.30
dns_v4_first on

# Запрещаем все остальное
http_access deny all

cat /etc/krb5.conf

[libdefaults]

        default_realm = DOMAIN.LOCAL
        default_keytab_name = /etc/squid3/sqnew.keytab

[realms]
        DOMAIN.LOCAL = {
                kdc = my.domain.local
                kdc = alternate.domain.local
                admin_server = my.domain.local
                admin_server = alternate.domain.local
                default_domain = domain.local
                }

[domain_realm]
                .domain.local = DOMAIN.LOCAL
                domain.local = DOMAIN.LOCAL

klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/[email protected]

Valid starting       Expires              Service principal
01/26/2018 16:29:22  01/27/2018 02:29:22  krbtgt/[email protected]
        renew until 01/27/2018 16:29:22

When entering the browser, it requires you to enter the login and password from the Squid3 proxy server, but after entering the login and password, it still asks you to enter it again. In cat configs, only domain names have been replaced. Ready to provide any cat configs and command outputs that will help solve the problem.