[squid-users] Re: Re: Unable to get Firefox to authenticate via Kerberos

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Tue, 2 Feb 2010 22:14:23 -0000

I recall that there was a problem with ktpass. Did you use the version for
SP2 ? Can you try what is described in the squid wiki with msktutil ?

Markus

"Mike Bordignon (GMI)" <mike_at_gmi.co.nz> wrote in message
news:4B688F74.1050607_at_gmi.co.nz...
>
> I did read that I shouldn't use DES but I wasn't able to get it going with
> RC4. Each time I generate
> a keytab with RC4 encryption I cannot get it going after copying to my
> squid box. Do I need to
> do anything to Windows Server 2003 to have it generate/accept tickets with
> RC4 encryption?
> From kerbtray it appears I already have other RC4 tickets, so I'm
> confused.
>
> This is the command line I'm using to generate the keytab:
>
> ktpass -princ HTTP/fqdn_at_REALM -mapuser user_at_REALM -pass password -ptype
> KRB5_NT_SRV_HST -out squid.keytab
>
> The errors I receive in cache.log after generating the keytab with ktpass
> are as follows;
>
> 2010/02/03 09:45:49| squid_kerb_auth: Got 'YR
> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
> (length: 59).
> 2010/02/03 09:45:49| squid_kerb_auth: parseNegTokenInit failed with rc=101
> 2010/02/03 09:45:49| squid_kerb_auth: received type 1 NTLM token
>
> In /etc/krb5.conf I have;
> permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
> default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
>
> Any suggestions?
>
>
> -------- Original Message --------
> Subject: [squid-users] Re: Unable to get Firefox to authenticate via
> Kerberos
> From: Markus Moeller <huaraz_at_moeller.plus.com>
> To: squid-users_at_squid-cache.org
> Date: 2/02/2010 7:21 p.m.
>> BTW You shouldn't use anymore DES encryption as it is too weak and will
>> be disabled in future Kerberos libraries (as you have noticed in windows
>> 7). Use RC4 or AES.
>>
>> Markus
>>
>> "Mike Bordignon (GMI)" <mike_at_gmi.co.nz> wrote in message
>> news:4B676552.20907_at_gmi.co.nz...
>>>
>>> No matter - this was the problem
>>> http://www.mcplusa.com/blog/2009/10/authentication-with-kerberos-on-windows-7-and-the-google-search-appliance/
>>>
>>>
>>> -------- Original Message --------
>>> Subject: [squid-users] Unable to get Firefox to authenticate via
>>> Kerberos
>>> From: Mike Bordignon (GMI) <mike_at_gmi.co.nz>
>>> To: squid-users_at_squid-cache.org
>>> Date: 2/02/2010 11:03 a.m.
>>>> Hello,
>>>>
>>>> I've recently managed to setup squid3.0 (STABLE8, on Debian Lenny) to
>>>> authenticate requests via a Win2003 machine over Kerberos. It's working
>>>> well with IE7 (on XP), but neither IE8 nor FF3.0 (both on Windows 7)
>>>> will authenticate successfully. When I configure a squid_ldap_auth
>>>> backup it will authenticate, but when I specify only negotiate it will
>>>> fail miserably.
>>>>
>>>> This is what I'm getting in cache.log:
>>>>
>>>> 2010/02/02 10:53:48| squid_kerb_auth: Got 'YR
>>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
>>>> (length: 59).
>>>> 2010/02/02 10:53:48| squid_kerb_auth: parseNegTokenInit failed with
>>>> rc=101
>>>> 2010/02/02 10:53:48| squid_kerb_auth: received type 1 NTLM token
>>>>
>>>> This puzzles me as I've setup network.negotiate-auth.trusted-uris in
>>>> Firefox correctly (I've tried setting it to both domain.com and
>>>> proxy.domain.com). Using kerbtray I don't appear to have any tickets
>>>> for
>>>> http/fqdn/realm.com. Should I have? Do I need to restart Windows?
>>>>
>>>> IE8 appears to prompt for Integrated Security but when I enter my
>>>> credentials nothing happens. The same log entry above appears.
>>>>
>>>> Any help much appreciated.
>>>>
>>>>
>>>>
>>>> cheers
>>>> Mike
>>>
>>
>>
>
> --
> Mike Bordignon
> Gareth Morgan Investments
> p: +64 4 494 6076
> m: +64 21 614 308
> w: http://gmi.co.nz
>
>
Received on Tue Feb 02 2010 - 22:15:07 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 03 2010 - 12:00:02 MST