Markus After further investigation using gdb I have been able to determine the problem is caused by a particular combination of encryption and checksum types which seems to only occur (at this stage) in Windows 2008 R2 and possibly Windows 7 although I have not confirmed this.
In my Windows 2008 R2 environment (including Active Directory, running in Windows 2003 mode rather than Windows 2008), the keytab which I created for squid using msktutil (with enctypes = 28) gave me keys encrypted with ArcFour with HMAC/md5, AES-128 CTS mode with 96-bit SHA-1 HMAC and AES-256 CTS mode with 96-bit SHA-1 HMAC. The problem lies with the Kerberos libraries installed with Ubuntu 10.04 LTS (1.8.1+dfsg-2ubuntu0.3). They return an error when working with AES-256 and the checksum encryption type ArcFour with HMAC/md5. This has been reported on the MIT Kerberos developers list (http://mailmain.mit.edu/pipermail/krbdev/2010-July/009148.html) and assigned ticket 6751. This has been resolved and included in the MIT Kerberos 1.8.3 release. However, it does not appear to have been backported to Ubuntu 10.04 LTS yet. I compiled the MIT Kerberos 1.8.3 source and re-built squid_kerb_auth against these libraries and the problem no longer occurs ie. A domain user logged into a Windows 2008 R2 server can authenticate using Kerberos in IE8. Kerberos authentication continues to work with IE8 and Firefox in Windows XP for domain users. I greatly appreciate the assistance of Markus Moeller in resolving this. Without his guidance and suggestions it would have taken me a lot longer to nail down the problem. Hopefully this information will be of some use to others. Regards Paul > -----Original Message----- > From: Markus Moeller [mailto:hua...@moeller.plus.com] > Sent: Sunday, 31 October 2010 6:45 AM > To: squid-users@squid-cache.org > Subject: [squid-users] Re: Authentication using squid_kerb_auth with > Internet Explorer 8 on Windows Server 2008 R2 > > My tests show the same. RC4 works but AES 128/256 fail. It seems to > be > some incompatibility between MS and MIT/Heimdal Kerberos libraries > introduces in R2 > > Markus > > "DmitrySh" <sbro...@inbox.lv> wrote in message > news:1288361044027-3019158.p...@n4.nabble.com... > > > > I solve the problem on Win7 (temporary) > > I set RC4-HMAC type for kerberos transactions in Local Security > Policy > > http://technet.microsoft.com/en-us/library/dd560670%28WS.10%29.aspx > > Now both keys on client machine are in RC4-HMAC type (krbtgt and > > HTTP/fqdn_of_proxy) > > That's help in my case. > > Sounds not so good if this be AES256, but i think it's before of > mixed > > mode > > of AD (2003 and 2008). > > Try to communicate with microsoft about this. > > P.S. Sorry for my english :) > > > > Regards, > > Dmitry > > -- > > View this message in context: > > http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication- > using-squid-kerb-auth-with-Internet-Explorer-8-on-Windows-Server-2008- > R2-tp3013070p3019158.html > > Sent from the Squid - Users mailing list archive at Nabble.com. > > > > > > > __________ Information from ESET Smart Security, version of virus > signature database 5586 (20101102) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com > __________ Information from ESET Smart Security, version of virus signature database 5589 (20101103) __________ The message was checked by ESET Smart Security. http://www.eset.com
