diff -pru squid3/src/ICAP/ICAPConfig.h squid3.icap/src/ICAP/ICAPConfig.h
--- squid3/src/ICAP/ICAPConfig.h	2006-10-31 18:52:31.000000000 -0500
+++ squid3.icap/src/ICAP/ICAPConfig.h	2006-11-15 16:03:36.000000000 -0500
@@ -101,6 +101,8 @@ public:
     int default_options_ttl;
     int send_client_ip;
     int send_client_username;
+    int send_auth_user;
+    char *auth_scheme;
     int reuse_connections;
 
     Vector<ICAPServiceRep::Pointer> services;
diff -pru squid3/src/ICAP/ICAPModXact.cc squid3.icap/src/ICAP/ICAPModXact.cc
--- squid3/src/ICAP/ICAPModXact.cc	2006-10-31 18:52:31.000000000 -0500
+++ squid3.icap/src/ICAP/ICAPModXact.cc	2006-11-15 23:35:03.000000000 -0500
@@ -1019,7 +1019,59 @@ void ICAPModXact::makeRequestHeaders(Mem
         if (request->auth_user_request)
             if (request->auth_user_request->username())
                 buf.Printf("X-Client-Username: %s\r\n", request->auth_user_request->username());
+    if (TheICAPConfig.send_client_username && request && TheICAPConfig.auth_scheme)
+        if (request->auth_user_request)
+            if (request->auth_user_request->username()) {
+              int len, userlen, schemelen, domlen, userofslen, domainofslen;
+            const char *user = request->auth_user_request->username();
+              char *authuser = NULL;
+              char *domain = NULL;
+              char *userofs = NULL;
+              char *domainofs = NULL;
+              char *dompart = NULL;
+    userlen = strlen(user);
+    schemelen = strlen(TheICAPConfig.auth_scheme);
+    len = userlen + schemelen + 1;
+    authuser = new char[len];
+    domain = new char[len];
+                memset(domain, 0, len);
+                memset(authuser, 0, len);
+
+    if ((userofs = strstr(TheICAPConfig.auth_scheme, "%u")) == NULL) {
+	/* simply add user at end of string */
+	snprintf(authuser, len, "%s%s", TheICAPConfig.auth_scheme, user);
+    } else {
+                domainofs = strstr(TheICAPConfig.auth_scheme, "%d");
+                dompart = strstr(user, "\\");
+                 if ((dompart != NULL) && (domainofs != NULL)) {
+	userofslen = userofs - TheICAPConfig.auth_scheme;
+                domlen = dompart - user;
+	xmemcpy(domain, TheICAPConfig.auth_scheme, userofslen);
+	xmemcpy(domain + userofslen, dompart+1, userlen - domlen);
+	xmemcpy(domain + userofslen + userlen - domlen - 1,
+	    userofs + 2, schemelen - (userofslen + 2) + 1);
+                domainofs = strstr(domain, "%d");
+	domainofslen = domainofs - domain;
+	xmemcpy(authuser, domain, domainofslen);
+	xmemcpy(authuser + domainofslen, user, domlen);
+	xmemcpy(authuser + domainofslen + domlen,
+	    domainofs + 2, strlen(domain) - (domainofslen + 2) + 1);
+    } else {
+	userofslen = userofs - TheICAPConfig.auth_scheme;
+	xmemcpy(authuser, TheICAPConfig.auth_scheme, userofslen);
+	xmemcpy(authuser + userofslen, user, userlen);
+	xmemcpy(authuser + userofslen + userlen,
+	    userofs + 2, schemelen - (userofslen + 2) + 1);
+    }
+}
 
+    debug(94,1) ("X-Authenticated-User: %s\n", authuser);
+    buf.Printf("X-Authenticated-User: %s\r\n", base64_encode(authuser));
+            if (authuser)
+    delete(authuser);
+            if (domain)
+    delete(domain);
+}
     // fprintf(stderr, "%s\n", buf.content());
 
     buf.append(ICAP::crlf, 2); // terminate ICAP header
diff -pru squid3/src/cf.data.pre squid3.icap/src/cf.data.pre
--- squid3/src/cf.data.pre	2006-11-04 10:50:51.000000000 -0500
+++ squid3.icap/src/cf.data.pre	2006-11-15 15:52:02.000000000 -0500
@@ -5047,6 +5047,38 @@ DOC_START
         if proxy access is authentified.
 DOC_END
 
+NAME: icap_send_auth_user
+TYPE: onoff
+IFDEF: ICAP_CLIENT
+COMMENT: on|off
+LOC: TheICAPConfig.send_auth_user
+DEFAULT: off
+DOC_START
+	Allows Squid to add the "X-Authenticated-User" header if requested
+	by an ICAP service in it's response to OPTIONS.
+DOC_END
+
+NAME: icap_auth_scheme
+TYPE: string
+IFDEF: ICAP_CLIENT
+LOC: TheICAPConfig.auth_scheme
+DEFAULT: Local://%u
+DOC_START
+	Authentification scheme to pass to ICAP requests if
+	icap_send_auth_user is enabled. The first occurence of "%u"
+	is replaced by the authentified user name. If no "%u" is found,
+	the username is added at the end of the scheme.
+	
+	See http://www.ietf.org/internet-drafts/draft-stecher-icap-subid-00.txt,
+	section 3.4 for details on this.
+
+	Examples:
+
+	icap_auth_scheme Local://%u
+	icap_auth_scheme LDAP://ldap-server/cn=%u,dc=company,dc=com
+	icap_auth_scheme WinNT://nt-domain/%u
+	icap_auth_scheme Radius://radius-server/%u
+DOC_END
 NAME: icap_service
 TYPE: icap_service_type
 IFDEF: ICAP_CLIENT