RE: [squid-users] Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
Markus After further investigation using gdb I have been able to determine the problem is caused by a particular combination of encryption and checksum types which seems to only occur (at this stage) in Windows 2008 R2 and possibly Windows 7 although I have not confirmed this. In my Windows 2008 R2 environment (including Active Directory, running in Windows 2003 mode rather than Windows 2008), the keytab which I created for squid using msktutil (with enctypes = 28) gave me keys encrypted with ArcFour with HMAC/md5, AES-128 CTS mode with 96-bit SHA-1 HMAC and AES-256 CTS mode with 96-bit SHA-1 HMAC. The problem lies with the Kerberos libraries installed with Ubuntu 10.04 LTS (1.8.1+dfsg-2ubuntu0.3). They return an error when working with AES-256 and the checksum encryption type ArcFour with HMAC/md5. This has been reported on the MIT Kerberos developers list (http://mailmain.mit.edu/pipermail/krbdev/2010-July/009148.html) and assigned ticket 6751. This has been resolved and included in the MIT Kerberos 1.8.3 release. However, it does not appear to have been backported to Ubuntu 10.04 LTS yet. I compiled the MIT Kerberos 1.8.3 source and re-built squid_kerb_auth against these libraries and the problem no longer occurs ie. A domain user logged into a Windows 2008 R2 server can authenticate using Kerberos in IE8. Kerberos authentication continues to work with IE8 and Firefox in Windows XP for domain users. I greatly appreciate the assistance of Markus Moeller in resolving this. Without his guidance and suggestions it would have taken me a lot longer to nail down the problem. Hopefully this information will be of some use to others. Regards Paul > -Original Message- > From: Markus Moeller [mailto:hua...@moeller.plus.com] > Sent: Sunday, 31 October 2010 6:45 AM > To: squid-users@squid-cache.org > Subject: [squid-users] Re: Authentication using squid_kerb_auth with > Internet Explorer 8 on Windows Server 2008 R2 > > My tests show the same. RC4 works but AES 128/256 fail. It seems to > be > some incompatibility between MS and MIT/Heimdal Kerberos libraries > introduces in R2 > > Markus > > "DmitrySh" wrote in message > news:1288361044027-3019158.p...@n4.nabble.com... > > > > I solve the problem on Win7 (temporary) > > I set RC4-HMAC type for kerberos transactions in Local Security > Policy > > http://technet.microsoft.com/en-us/library/dd560670%28WS.10%29.aspx > > Now both keys on client machine are in RC4-HMAC type (krbtgt and > > HTTP/fqdn_of_proxy) > > That's help in my case. > > Sounds not so good if this be AES256, but i think it's before of > mixed > > mode > > of AD (2003 and 2008). > > Try to communicate with microsoft about this. > > P.S. Sorry for my english :) > > > > Regards, > > Dmitry > > -- > > View this message in context: > > http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication- > using-squid-kerb-auth-with-Internet-Explorer-8-on-Windows-Server-2008- > R2-tp3013070p3019158.html > > Sent from the Squid - Users mailing list archive at Nabble.com. > > > > > > > __ Information from ESET Smart Security, version of virus > signature database 5586 (20101102) __ > > The message was checked by ESET Smart Security. > > http://www.eset.com > __ Information from ESET Smart Security, version of virus signature database 5589 (20101103) __ The message was checked by ESET Smart Security. http://www.eset.com
[squid-users] Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
My tests show the same. RC4 works but AES 128/256 fail. It seems to be some incompatibility between MS and MIT/Heimdal Kerberos libraries introduces in R2 Markus "DmitrySh" wrote in message news:1288361044027-3019158.p...@n4.nabble.com... I solve the problem on Win7 (temporary) I set RC4-HMAC type for kerberos transactions in Local Security Policy http://technet.microsoft.com/en-us/library/dd560670%28WS.10%29.aspx Now both keys on client machine are in RC4-HMAC type (krbtgt and HTTP/fqdn_of_proxy) That's help in my case. Sounds not so good if this be AES256, but i think it's before of mixed mode of AD (2003 and 2008). Try to communicate with microsoft about this. P.S. Sorry for my english :) Regards, Dmitry -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication-using-squid-kerb-auth-with-Internet-Explorer-8-on-Windows-Server-2008-R2-tp3013070p3019158.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
I solve the problem on Win7 (temporary) I set RC4-HMAC type for kerberos transactions in Local Security Policy http://technet.microsoft.com/en-us/library/dd560670%28WS.10%29.aspx Now both keys on client machine are in RC4-HMAC type (krbtgt and HTTP/fqdn_of_proxy) That's help in my case. Sounds not so good if this be AES256, but i think it's before of mixed mode of AD (2003 and 2008). Try to communicate with microsoft about this. P.S. Sorry for my english :) Regards, Dmitry -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication-using-squid-kerb-auth-with-Internet-Explorer-8-on-Windows-Server-2008-R2-tp3013070p3019158.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
I will try to get a 2008 R2 box, but it will take some time as I have only a 32bit system and R2 is 64bit. Markus "Paul Freeman" wrote in message news:19672eecfb9ae340833c84f3e90b5956042a4...@mel-ex-01.eml.local... Hi. I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have enabled Kerberos/NTLM authentication using the squid_kerb_auth helper. This setup is working well and successfully authenticates Windows domain users when they are logged in using their domain credentials on Windows XP workstations using Internet Explorer (v6,7 and 8) and Firefox. Squid is configured with two helpers, the first, squid_kerb_auth and the second, the Samba ntlm helper. However, today I came across a problem when using Internet Explorer 8 on a server running Windows Server 2008 R2. The IE8 enhanced security mode is disabled and the logged in user is a standard domain user. The Windows server is joined to the domain and is not a domain controller. The Windows server is up to date with Microsoft patches and updates. Authentication is failing for some reason. Instead of authenticating silently, the user is prompted for a username and password 6 times before receiving the Cache Access Denied message. If I disable the squid_kerb_auth helper in squid.conf and restart squid, leaving only the Samba NTLM helper, authentication works successfully. In cache.log I find: squid_kerb_auth: DEBUG: Got 'YR YII... squid_kerb_auth: DEBUG: Decode 'YII... squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. squid_kerb_auth: INFO: User not authenticated authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_accept_sec_contect() failed: Unspecified GSS failure. Minor code may provide more information. ' Has anyone else found this with IE8 on Windows Server 2008 R2? Is it due to the 64-bit version of IE8 or some unusual interaction between the IE8 version shipped with Windows Server 2008 R2 and the squid_kerb_auth module? I have a Wireshark capture of the traffic between the browser session on Windows Server 2008 R2 and the proxy server during authentication and would like to assist with investigating the problem further if someone can provide some advice as to where to look. Regards Paul
RE: [squid-users] Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
Markus OK - I was not sure whether the Kerberos libraries used openssl code. I have captured traffic for the following where a domain user is logged onto a w2k8 R2 server (named my-server.my.domain for this discussion) running the 32-bit version of IE8: 1. Between my-server.my.domain and the AD servers 2. Between my-server.my.domain and the squid 3.1.8 proxy server. I have also captured the traffic between the proxy server and the AD servers while executing the kinit command you requested. It's probably not a good idea to post the logs here. Is there anything you want me to look for? I have done some investigation and notice a couple of things which may or may not be relevant or important: 1. When my-server.my.domain issues the TGS-REQ it specifies the fowardable, renewable and canonicalize flags. For a similar setup except using Win XP, only the forwardable, renewable flags are set. 2. For the browser session on my-server.my.domain I notice there are repeated AS-REQ/TGS-REQ requests, even though as far as I can tell the requests are granted. There are also (probably expected) multiple KRB Error: KRB5KDC_ERR_PRE_PREAUTH_REQUIRED messages which look they match the AS-REQ/TGS-REQ requests. When I look in the security logs of the 2 AD domain controllers, I do not see any failed Kerberos events but I notice the requests from server my-server.my.domain have the Client-Address: value set to ::fff:192.168.x.y. I presume this is am IPv6 address? IPv6 is not selected on the nic of my-server.my.domain. For the Win XP server, there are 2 event log entries, one for Client-Address: ::fff:192.168.x.z and the next one for Client-Address is 192.168.x.z. I have not observed the multiple Kerberos on Win XP. Please let me know how I can further assist this investigation. Regards Paul > -Original Message- > From: Markus Moeller [mailto:hua...@moeller.plus.com] > Sent: Wednesday, 27 October 2010 9:15 AM > To: squid-users@squid-cache.org > Subject: [squid-users] Re: Authentication using squid_kerb_auth with > Internet Explorer 8 on Windows Server 2008 R2 > > Hi Paul, > > As far as I know the Kerberos libraries do not use openssl code. Can > you > capture the traffic between your 2008 server and AD on port 88 and > between > the 2008 server and squid on 3128 (the squid port). Can you also > capture the > traffic between squid and AD when you try a kinit -kt squid.keytab > HTTP/my-proxy-server.my.dom...@my.domain > > Regards > Markus > > "Paul Freeman" wrote in message > news:19672eecfb9ae340833c84f3e90b595604378...@mel-ex-01.eml.local... > Hi Nick > Thanks for looking at this. I appreciate your help. > > My answers to your questions are in line below > > > -Original Message- > > From: Nick Cairncross [mailto:nick.cairncr...@condenast.co.uk] > > Sent: Tuesday, 26 October 2010 8:36 PM > > To: Paul Freeman; Squid Users > > Subject: Re: [squid-users] Authentication using squid_kerb_auth with > > Internet Explorer 8 on Windows Server 2008 R2 > > > > > > On 26/10/2010 03:56, "Paul Freeman" wrote: > > > > > > >Hi. > > >I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and > have > > >enabled > > >Kerberos/NTLM authentication using the squid_kerb_auth helper. This > > >setup is > > >working well and successfully authenticates Windows domain users > when > > they > > >are logged in using their domain credentials on Windows XP > > workstations > > >using > > >Internet Explorer (v6,7 and 8) and Firefox. > > > > > >Squid is configured with two helpers, the first, squid_kerb_auth and > > the > > >second, the Samba ntlm helper. > > > > > >However, today I came across a problem when using Internet Explorer > 8 > > on a > > >server running Windows Server 2008 R2. The IE8 enhanced security > mode > > is > > >disabled and the logged in user is a standard domain user. The > > Windows > > >server is joined to the domain and is not a domain controller. The > > >Windows > > >server is up to date with Microsoft patches and updates. > > > > > >Authentication is failing for some reason. Instead of > authenticating > > >silently, the user is prompted for a username and password 6 times > > before > > >receiving the Cache Access Denied message. > > > > > >If I disable the squid_kerb_auth helper in squid.conf and restart > > squid, > > >leaving only the Samba NTLM helper, authentication works > successfully. > > > > > >In cache.log I find: > > >squid_kerb_auth: DEBUG: Got 'YR YII... > > >
[squid-users] Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
Nick Cairncross wrote: > > What's your AD 2008 or > 2003? > AD Servers are 2008R2 in 2003 mode Nick Cairncross wrote: > > Did you use msktutil to create your keytab or ktpass? I found a few issues > with ktpass. Are you authenticating against the same computer as the squid > server or a dummy account? > I'm using msktutil for keytab generation and it's create computer account in AD with the same hostname as for squid proxy server. I'm generating keytab with -enctypes 28 flags (as i understand it's for WinServer 2008) therefore i have AES128 and AES256 records in keytab. When i try to use DES my AD did'nt understand kinit requests. Here's my set up 8 10/21/10 13:58:07 HTTP/vmproxy.f...@fqdn (ArcFour with HMAC/md5) 8 10/21/10 13:58:07 HTTP/vmproxy.f...@fqdn (AES-128 CTS mode with 96-bit SHA-1 HMAC) 8 10/21/10 13:58:07 HTTP/vmproxy.f...@fqdn (AES-256 CTS mode with 96-bit SHA-1 HMAC) krb5.conf default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac Regards, Dmitry Gorbunov -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication-using-squid-kerb-auth-with-Internet-Explorer-8-on-Windows-Server-2008-R2-tp3013070p3014892.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
Hi Paul, As far as I know the Kerberos libraries do not use openssl code. Can you capture the traffic between your 2008 server and AD on port 88 and between the 2008 server and squid on 3128 (the squid port). Can you also capture the traffic between squid and AD when you try a kinit -kt squid.keytab HTTP/my-proxy-server.my.dom...@my.domain Regards Markus "Paul Freeman" wrote in message news:19672eecfb9ae340833c84f3e90b595604378...@mel-ex-01.eml.local... Hi Nick Thanks for looking at this. I appreciate your help. My answers to your questions are in line below -Original Message- From: Nick Cairncross [mailto:nick.cairncr...@condenast.co.uk] Sent: Tuesday, 26 October 2010 8:36 PM To: Paul Freeman; Squid Users Subject: Re: [squid-users] Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2 On 26/10/2010 03:56, "Paul Freeman" wrote: >Hi. >I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have >enabled >Kerberos/NTLM authentication using the squid_kerb_auth helper. This >setup is >working well and successfully authenticates Windows domain users when they >are logged in using their domain credentials on Windows XP workstations >using >Internet Explorer (v6,7 and 8) and Firefox. > >Squid is configured with two helpers, the first, squid_kerb_auth and the >second, the Samba ntlm helper. > >However, today I came across a problem when using Internet Explorer 8 on a >server running Windows Server 2008 R2. The IE8 enhanced security mode is >disabled and the logged in user is a standard domain user. The Windows >server is joined to the domain and is not a domain controller. The >Windows >server is up to date with Microsoft patches and updates. > >Authentication is failing for some reason. Instead of authenticating >silently, the user is prompted for a username and password 6 times before >receiving the Cache Access Denied message. > >If I disable the squid_kerb_auth helper in squid.conf and restart squid, >leaving only the Samba NTLM helper, authentication works successfully. > >In cache.log I find: >squid_kerb_auth: DEBUG: Got 'YR YII... >squid_kerb_auth: DEBUG: Decode 'YII... >squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS >failure. Minor code may provide more information. >squid_kerb_auth: INFO: User not authenticated >authenticateNegotiateHandleReply: Error validating user via Negotiate. >Error >returned 'BH gss_accept_sec_contect() failed: Unspecified GSS failure. >Minor code may provide more information. ' > >Has anyone else found this with IE8 on Windows Server 2008 R2? Is it due >to >the 64-bit version of IE8 or some unusual interaction between the IE8 >version >shipped with Windows Server 2008 R2 and the squid_kerb_auth module? > >I have a Wireshark capture of the traffic between the browser session on >Windows Server 2008 R2 and the proxy server during authentication and >would >like to assist with investigating the problem further if someone can >provide >some advice as to where to look. > >Regards > >Paul Hi Paul, Just my thoughts (which are minor in relation to the power of other listers..!): Are you specifically running the 64-bit version of IE? How does your DNS look? A/PTR records all in order? What does kerbtray show? What encoding for kerberos are you using? What does klist -ekt show? Correct FQDN in your browser? Cheers Nick I presumed IE8 was the 64-bit version but on further checking I have found it is the 32-bit version. The 64-bit version is also installed and I have tried that with the same result. As far as I know (I set DNS up :-) ), DNS is configured correctly with forward and reverse records. I checked the Kerberos tickets on a Windows XP workstation that authenticates correctly to squid using IE8 (32-bit) and the Windows 2008 R2 server using IE8 (32-bit and 64-bit) and found tickets for the proxy server as follows: Win XP Workstation: Server: HTTP/my-proxy-server.my.dom...@my.domain KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 10/27/2010 17:37:35 Renew Time: 11/3/2010 7:37:35 Win 2008 R2 server: Client" my.login @ MY.DOMAIN Server: HTTP/my-proxy-server.my.domain @ MY.DOMAIN KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a0 -> forwardable renewable pre_authent Start Time: 10/27/2010 7:30:13 (local) End Time: 10/27/2010 17:17:38 (local) Renew Time: 11/3/2010 7:17:38 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 The key difference is the ticket encryption type: RC4-HMAC for Win XP vs AES-256-HMAC-SHA1 for Win 2008 R2. On the proxy server, klist -ekt ticket_file shows: KVNO Timestamp Principal 2 09/24/10 12:54:16 HTTP/my-proxy-server.my.dom...@my.domain (ArcFour with HMAC/md5) 2 09/24/10 12:54:16 HTTP/my-proxy-server.my.dom...@my.domain (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 09/24/10 12:54:16 HTTP/my-proxy-server.my.dom...@my.domain (AES-256 CTS mode with 96-bit SHA-1 HMAC) I have just remembered that I recently came ac
RE: [squid-users] Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
Hi Markus My AD servers (I have 2) are both Windows 2008 R2. AD is running at the 2003 functional level. The AD environment is the same one that is working OK with Squid and Kerberos authentication for Windows XP workstations running IE8. Regards Paul > -Original Message- > From: Markus Moeller [mailto:hua...@moeller.plus.com] > Sent: Wednesday, 27 October 2010 5:09 AM > To: squid-users@squid-cache.org > Subject: [squid-users] Re: Authentication using squid_kerb_auth with > Internet Explorer 8 on Windows Server 2008 R2 > > Hi Paul, > > Is your AD server 2003 or 2008 ? > > Markus > > "Paul Freeman" wrote in message > news:19672eecfb9ae340833c84f3e90b5956042a4...@mel-ex-01.eml.local... > Hi. > I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have > enabled > Kerberos/NTLM authentication using the squid_kerb_auth helper. This > setup > is > working well and successfully authenticates Windows domain users when > they > are logged in using their domain credentials on Windows XP workstations > using > Internet Explorer (v6,7 and 8) and Firefox. > > Squid is configured with two helpers, the first, squid_kerb_auth and > the > second, the Samba ntlm helper. > > However, today I came across a problem when using Internet Explorer 8 > on a > server running Windows Server 2008 R2. The IE8 enhanced security mode > is > disabled and the logged in user is a standard domain user. The Windows > server is joined to the domain and is not a domain controller. The > Windows > server is up to date with Microsoft patches and updates. > > Authentication is failing for some reason. Instead of authenticating > silently, the user is prompted for a username and password 6 times > before > receiving the Cache Access Denied message. > > If I disable the squid_kerb_auth helper in squid.conf and restart squid, > leaving only the Samba NTLM helper, authentication works successfully. > > In cache.log I find: > squid_kerb_auth: DEBUG: Got 'YR YII... > squid_kerb_auth: DEBUG: Decode 'YII... > squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified > GSS > failure. Minor code may provide more information. > squid_kerb_auth: INFO: User not authenticated > authenticateNegotiateHandleReply: Error validating user via Negotiate. > Error > returned 'BH gss_accept_sec_contect() failed: Unspecified GSS failure. > Minor code may provide more information. ' > > Has anyone else found this with IE8 on Windows Server 2008 R2? Is it > due to > the 64-bit version of IE8 or some unusual interaction between the IE8 > version > shipped with Windows Server 2008 R2 and the squid_kerb_auth module? > > I have a Wireshark capture of the traffic between the browser session > on > Windows Server 2008 R2 and the proxy server during authentication and > would > like to assist with investigating the problem further if someone can > provide > some advice as to where to look. > > Regards > > Paul >
[squid-users] Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
Hi Paul, Is your AD server 2003 or 2008 ? Markus "Paul Freeman" wrote in message news:19672eecfb9ae340833c84f3e90b5956042a4...@mel-ex-01.eml.local... Hi. I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have enabled Kerberos/NTLM authentication using the squid_kerb_auth helper. This setup is working well and successfully authenticates Windows domain users when they are logged in using their domain credentials on Windows XP workstations using Internet Explorer (v6,7 and 8) and Firefox. Squid is configured with two helpers, the first, squid_kerb_auth and the second, the Samba ntlm helper. However, today I came across a problem when using Internet Explorer 8 on a server running Windows Server 2008 R2. The IE8 enhanced security mode is disabled and the logged in user is a standard domain user. The Windows server is joined to the domain and is not a domain controller. The Windows server is up to date with Microsoft patches and updates. Authentication is failing for some reason. Instead of authenticating silently, the user is prompted for a username and password 6 times before receiving the Cache Access Denied message. If I disable the squid_kerb_auth helper in squid.conf and restart squid, leaving only the Samba NTLM helper, authentication works successfully. In cache.log I find: squid_kerb_auth: DEBUG: Got 'YR YII... squid_kerb_auth: DEBUG: Decode 'YII... squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. squid_kerb_auth: INFO: User not authenticated authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_accept_sec_contect() failed: Unspecified GSS failure. Minor code may provide more information. ' Has anyone else found this with IE8 on Windows Server 2008 R2? Is it due to the 64-bit version of IE8 or some unusual interaction between the IE8 version shipped with Windows Server 2008 R2 and the squid_kerb_auth module? I have a Wireshark capture of the traffic between the browser session on Windows Server 2008 R2 and the proxy server during authentication and would like to assist with investigating the problem further if someone can provide some advice as to where to look. Regards Paul
Re: [squid-users] Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
On 26/10/2010 14:58, "DmitrySh" wrote: > > >Nick Cairncross wrote: >> >> >> Hi Paul, >> Just my thoughts (which are minor in relation to the power of other >> listers..!): Are you specifically running the 64-bit version of IE? How >> does your DNS look? A/PTR records all in order? What does kerbtray show? >> What encoding for kerberos are you using? What does klist -ekt >> show? Correct FQDN in your browser? >> Cheers >> Nick >> >I think we can exclude mistake in FQDN in browser, 64-bit version of >browser >(couse im' using 32-bit OS and browsers) >In kerbtray i have some keys >HTTP/squidhostname.domain.com - AES256-CTS-HMAC-SHA1-96 >krbtgt/DOMAIN.COM - RSADSI-RC4-HMAC > >in keytab file 3 records with different encryption types: > ArcFour with HMAC/md5 >AES-128 CTS mode with 96-bit SHA-1 HMAC >AES-256 CTS mode with 96-bit SHA-1 HMAC > >What about DNS, how this can affect on helper work? > >Regards, >Dmitry Gorbunov >-- >View this message in context: >http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication-using-sq >uid-kerb-auth-with-Internet-Explorer-8-on-Windows-Server-2008-R2-tp3013070 >p3013748.html >Sent from the Squid - Users mailing list archive at Nabble.com. That seems ok so far. DNS correctness is essential for Kerberos (A and PTR) but that sounds like its ok for you if other clients are ok. As are SPNs and KVNO. I have 2008 x86 servers in a 2003 AD environment and I don't have any issues with them (that I know of). What's your AD 2008 or 2003? Did you use msktutil to create your keytab or ktpass? I found a few issues with ktpass. Are you authenticating against the same computer as the squid server or a dummy account? Here's my set up. I am Squid 3STABLE20 though.. 6 07/22/10 10:46:26 HTTP/squ...@fqdn (DES cbc mode with CRC-32) 6 07/22/10 10:46:26 HTTP/squ...@fqdn (DES cbc mode with RSA-MD5) 6 07/22/10 10:46:26 HTTP/squ...@fqdn (ArcFour with HMAC/md5) 6 07/22/10 10:46:26 HTTP/squid1.f...@fqdn (DES cbc mode with CRC-32) 6 07/22/10 10:46:26 HTTP/squid1.f...@fqdn (DES cbc mode with RSA-MD5) 6 07/22/10 10:46:26 HTTP/squid1.f...@fqdn (ArcFour with HMAC/md5) (I generated my keytab to include the short name as well as long) default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 Server 2008 shows a key for HTTP/squid1.f...@fqdn RSADSI-RC4-HMAC I will shortly be building a 3.1.8 squid box for upgrade and can report back on that. Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
[squid-users] Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
Nick Cairncross wrote: > > > Hi Paul, > Just my thoughts (which are minor in relation to the power of other > listers..!): Are you specifically running the 64-bit version of IE? How > does your DNS look? A/PTR records all in order? What does kerbtray show? > What encoding for kerberos are you using? What does klist -ekt > show? Correct FQDN in your browser? > Cheers > Nick > I think we can exclude mistake in FQDN in browser, 64-bit version of browser (couse im' using 32-bit OS and browsers) In kerbtray i have some keys HTTP/squidhostname.domain.com - AES256-CTS-HMAC-SHA1-96 krbtgt/DOMAIN.COM - RSADSI-RC4-HMAC in keytab file 3 records with different encryption types: ArcFour with HMAC/md5 AES-128 CTS mode with 96-bit SHA-1 HMAC AES-256 CTS mode with 96-bit SHA-1 HMAC What about DNS, how this can affect on helper work? Regards, Dmitry Gorbunov -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication-using-squid-kerb-auth-with-Internet-Explorer-8-on-Windows-Server-2008-R2-tp3013070p3013748.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
Hello all. I can join and confirm the same problem on client machine with IE8. Have the same errors in cache.log file when try to connect from IE8 and Firefox 3.6.10. Maybe it's not a browser problem, but OS version? I'm using Windows 7 operating system on this "problem" client machine. Maybe somewhere in Local Security Policy? Any suggestions? Regards, Dmitry Gorbunov -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication-using-squid-kerb-auth-with-Internet-Explorer-8-on-Windows-Server-2008-R2-tp3013070p3013727.html Sent from the Squid - Users mailing list archive at Nabble.com.