[squid-users] Re: Re: Re: Squid + Kerberos + Active Directory

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Mon, 8 Jun 2009 06:36:12 +0100

"Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
news:h0gs7v$mkp$1_at_ger.gmane.org...
> >
>>----- Original Message -----
>>From: "Truth Seeker" <truth_seeker_3535_at_yahoo.com>
>>To: "Markus Moeller" <huaraz_at_moeller.plus.com>
>>Cc: "Squid maillist" <squid-users_at_squid-cache.org>
>>Sent: Sunday, June 07, 2009 10:23 AM
>>Subject: Re: [squid-users] Re: Re: Re: Squid + Kerberos + Active Directory
>>
>>
>>> Dear Markus,
>>>
>>> After trying all the possible way, i got atleast just for one time a
>>> error message in cache.log
>>>
>>> 2009/06/07 11:31:46| AuthConfig::CreateAuthUser: Unsupported or
>>> unconfigured/inactive proxy-auth scheme, 'NTLM
>>> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw=='
>>>
>
> So IE or Firefox don't do negotiate.
>
>>>
>>> after that i didnt got this message at all..
>>>
>>> My Client is Win XP with IE 6 and Firefox 3.0.10. Its working really
>>> fine behind the MS ISA Server.
>>>
>>> But no way behind the squid???
>>>
>

BTW IE 6 does not support negotiate for proxy authentication if I remember
right. You need IE 7 or higher.

> Because squid is configured for negotiate/kerberos. Can you do the
> following
> in Firefox:
>
> 1) Type about:config in the URL bar
> 2) In the filter type nego
> 3) double click on network.negotiate-auth.trusted-uris
> 4) Enter .panasonic.com
> 5) Try again
>
> If that does not work can you run the attached binary on yoru XP desktop
> as
> follows:
>
> getTGT -p HTTP/linuxproxy.panasonic.com
>
> You should get an output like:
>
> getTGT.exe -p HTTP/w2k3r2.win2003r2.home
> 2009/06/07 17:50:42| getTGT[5180]: Info: Context Key Information:
> 2009/06/07 17:50:42| getTGT[5180]: Signature Algorithm: (-138)
> 2009/06/07 17:50:42| getTGT[5180]: Encryption Algorithm: RSADSI
> RC4-HMAC(23)
> 2009/06/07 17:50:42| getTGT[5180]: Key Size: 128
> 2009/06/07 17:50:42| getTGT[5180]: Info: Context Session Key Length: 16
> 2009/06/07 17:50:42| getTGT[5180]: Info: Context Client Native Name:
> Administrator_at_WIN2003R2.HOME
> 2009/06/07 17:50:42| getTGT[5180]: Info: Context Server Native Name:
> HTTP/w2k3r2.win2003r2.home_at_WIN2003R2.HOME
> 2009/06/07 17:50:42| getTGT[5180]: Info: Context Start Time: 2009/06/07
> 17:50:42
> 2009/06/07 17:50:42| getTGT[5180]: Info: Context End Time: 2009/06/08
> 03:42:29
> 2009/06/07 17:50:42| getTGT[5180]: Info: Credential User Principal Name:
> Administrator_at_WIN2003R2.HOME
> 2009/06/07 17:50:42| getTGT[5180]: Info: Credential ExpiryTime: 2009/06/08
> 03:42:29
>
> and a klist tickets should give:
>
> C:\WINNT\Profiles\Administrator.WIN2003R2.000>klist tickets
>
> Cached Tickets: (2)
>
> Server: krbtgt/WIN2003R2.HOME_at_WIN2003R2.HOME
> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
> End Time: 6/8/2009 3:42:29
> Renew Time: 6/14/2009 17:42:29
>
>
> Server: HTTP/w2k3r2.win2003r2.home_at_WIN2003R2.HOME
> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
> End Time: 6/8/2009 3:42:29
> Renew Time: 6/14/2009 17:42:29
>
>
> C:\WINNT\Profiles\Administrator.WIN2003R2.000>
>
>
> klist is part of the resource kit tools
> (http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en)
>
> If getTGT gives an error like:
> 2009/06/07 17:55:10| getTGT[3640]: InitializeSecurityContext failed:
> SEC_E_TARGET_UNKNOWN
>
> it means that either the kdc does not have a principal with the name or
> the
> client does not have a valid user ticket which can be check ed with klist
> tgt:
>
> C:\WINNT\Profiles\Administrator.WIN2003R2.000>klist tgt
>
> Cached TGT:
>
> ServiceName: krbtgt
> TargetName: krbtgt
> FullServiceName: Administrator
> DomainName: WIN2003R2.HOME
> TargetDomainName: WIN2003R2.HOME
> AltTargetDomainName: WIN2003R2.HOME
> TicketFlags: 0x40e00000
> KeyExpirationTime: 1/1/1601 1:00:00
> StartTime: 6/7/2009 17:42:29
> EndTime: 6/8/2009 3:42:29
> RenewUntil: 6/14/2009 17:42:29
> TimeSkew: 1/1/1601 1:00:00
>
>
>
>>> i captured the following types of traffic;
>>>
>>> a. My XP Client + IE 6 <---> ISA Server
>>> b. MY XP Client + IE 6 <---> squid-3.0.STABLE13-1.el5 + CentOS 5.2
>>> c. more auth packet level details of Client <-> ISA Server
>>> d. more auth packet level details of Client <-> Squid
>>>
>>>
>>> Please see the attachments;
>>>
>>> and hoping for a way to resolve the issue.
>>>
>>>
>>> From all this what i understood is, client is trying to do NTLM auth,
>>> but server dosent support it. Ok if this is the case, how can i tell the
>>> client not to use NTLM and just use Kerberos. Second case, how can i
>>> configure squid to handle the NTLM based authentication.
>>>
>
> There are NTLM helpers as part of the squid package available. Or better
> use
> the samba ntlm_auth helper.
>
>>>
>>> guide me please...
>>>
>
> Regards
> Markus
>
>
>
Received on Mon Jun 08 2009 - 05:36:38 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 08 2009 - 12:00:02 MDT