The easiest way is to look at the traffic in wireshark.
Markus
"Carlos Defoe" wrote in message
news:CAHsHsyvkKcZCf+6f1MQQRMmhGODxyn_BoeeqcVva3YH4ywLb7w_at_mail.gmail.com...
My goal was only to know which computer and/or user is failing to use
each method of authentication. The network is too big, and among those
thousands of messages I need to know first from where those failed are
coming. Probably the user is being prompted with the auth window, but
as he thinks it is normal, he don't claim our support to fix it. I
wanna know so I can send support to fix or replace the computer.
On Thu, Oct 31, 2013 at 2:14 PM, Carlos Defoe <carlosdefoe_at_gmail.com> wrote:
> Hi Amos,
>
> Seems that it don't work for kerberos tokens:
>
> NTLM Signature:`� � +
> NTLM Message Type:2551
> BITMAP111111111111000000000000000000000000000000
> Unknown @12:0x 160
> ...
>
> For a NTLM token it shows the flags.
>
> On Thu, Oct 31, 2013 at 2:41 AM, Amos Jeffries <squid3_at_treenet.co.nz>
> wrote:
>> On 31/10/2013 6:02 a.m., Carlos Defoe wrote:
>>>
>>> Hi,
>>>
>>> It is possible to decode those "negotiate_kerberos_auth" debug
>>> messages? I tried "base64 -d", but it shows a lot of garbage and
>>> almost nothing readable.
>>
>>
>> It is a binary NTLMSSPI packet. I have put a simple decoder together for
>> debugging purposes:
>> http://treenet.co.nz/projects/squid/ntlm_token.php
>>
>> Amos
Received on Thu Oct 31 2013 - 21:36:50 MDT
This archive was generated by hypermail 2.2.0 : Fri Nov 01 2013 - 12:00:07 MDT