I did try msktutil at first but it crashed in flames
(http://pastie.org/private/tjfwuprb8xdlm3hlrluwva).
I used ktpass which was already on my server (which is R2 SP2).
In any case, it's now working with RC4! I think the problem may have
been a combination of
* Taking too long to copy the key to the squid machine (is this even
possible?)
* Clock being out by a few minutes on one machine
* Restart of browser and/or Win7 required
Until I restarted my browser/machine, I kept getting this error;
2010/02/03 09:55:46| squid_kerb_auth: gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information. Key
version number for principal in key table is incorrect
-------- Original Message --------
Subject: [squid-users] Re: Re: Unable to get Firefox to authenticate via
Kerberos
From: Markus Moeller <hua...@moeller.plus.com>
To: squid-users@squid-cache.org
Date: 3/02/2010 11:14 a.m.
I recall that there was a problem with ktpass. Did you use the version
for SP2 ? Can you try what is described in the squid wiki with msktutil ?
Markus
"Mike Bordignon (GMI)" <m...@gmi.co.nz> wrote in message
news:4b688f74.1050...@gmi.co.nz...
I did read that I shouldn't use DES but I wasn't able to get it going
with RC4. Each time I generate
a keytab with RC4 encryption I cannot get it going after copying to
my squid box. Do I need to
do anything to Windows Server 2003 to have it generate/accept tickets
with RC4 encryption?
From kerbtray it appears I already have other RC4 tickets, so I'm
confused.
This is the command line I'm using to generate the keytab:
ktpass -princ HTTP/f...@realm -mapuser u...@realm -pass password
-ptype KRB5_NT_SRV_HST -out squid.keytab
The errors I receive in cache.log after generating the keytab with
ktpass are as follows;
2010/02/03 09:45:49| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2010/02/03 09:45:49| squid_kerb_auth: parseNegTokenInit failed with
rc=101
2010/02/03 09:45:49| squid_kerb_auth: received type 1 NTLM token
In /etc/krb5.conf I have;
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
Any suggestions?
-------- Original Message --------
Subject: [squid-users] Re: Unable to get Firefox to authenticate via
Kerberos
From: Markus Moeller <hua...@moeller.plus.com>
To: squid-users@squid-cache.org
Date: 2/02/2010 7:21 p.m.
BTW You shouldn't use anymore DES encryption as it is too weak and
will be disabled in future Kerberos libraries (as you have noticed
in windows 7). Use RC4 or AES.
Markus
"Mike Bordignon (GMI)" <m...@gmi.co.nz> wrote in message
news:4b676552.20...@gmi.co.nz...
No matter - this was the problem
http://www.mcplusa.com/blog/2009/10/authentication-with-kerberos-on-windows-7-and-the-google-search-appliance/
-------- Original Message --------
Subject: [squid-users] Unable to get Firefox to authenticate via
Kerberos
From: Mike Bordignon (GMI) <m...@gmi.co.nz>
To: squid-users@squid-cache.org
Date: 2/02/2010 11:03 a.m.
Hello,
I've recently managed to setup squid3.0 (STABLE8, on Debian Lenny) to
authenticate requests via a Win2003 machine over Kerberos. It's
working
well with IE7 (on XP), but neither IE8 nor FF3.0 (both on Windows 7)
will authenticate successfully. When I configure a squid_ldap_auth
backup it will authenticate, but when I specify only negotiate it
will
fail miserably.
This is what I'm getting in cache.log:
2010/02/02 10:53:48| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2010/02/02 10:53:48| squid_kerb_auth: parseNegTokenInit failed
with rc=101
2010/02/02 10:53:48| squid_kerb_auth: received type 1 NTLM token
This puzzles me as I've setup network.negotiate-auth.trusted-uris in
Firefox correctly (I've tried setting it to both domain.com and
proxy.domain.com). Using kerbtray I don't appear to have any
tickets for
http/fqdn/realm.com. Should I have? Do I need to restart Windows?
IE8 appears to prompt for Integrated Security but when I enter my
credentials nothing happens. The same log entry above appears.
Any help much appreciated.
cheers
Mike
--
Mike Bordignon
Gareth Morgan Investments
p: +64 4 494 6076
m: +64 21 614 308
w: http://gmi.co.nz
--
Mike Bordignon
Gareth Morgan Investments
p: +64 4 494 6076
m: +64 21 614 308
w: http://gmi.co.nz
