Hi, I've just managed to solve the authentication issue I had with a Google Talk client with Squid, hope this might help someone with the same problem. I should say that the Google Talk client doesn't seem to work correctly with Kerberos proxy authentication, so this solution is more of a workaround. If someone can see through this and it really is not a Google Talk client problem but a Squid side Kerberos problem, please let me know. Now let me try to explain:
Squid (3.2.6) is configured to authenticate from AD using negotiate wrapper for Negotiate/NTLM and Negotiate/Kerberos, NTLM and Basic auth. Google Talk clients (configured for proxy with auth - both options tried "Detect proxy automatically" and "Use the following proxy") produced these cache.log entries: [2013/01/14 10:08:41.150742, 1] libsmb/ntlmssp.c:342(ntlmssp_update) got NTLMSSP command 3, expected 1 And debugging it I could see: 2013/01/14 10:08:41| negotiate_wrapper: received type 1 NTLM token And later on: 2013/01/14 10:08:41| negotiate_wrapper: received type 3 NTLM token So, Google Talk client started with Kerberos and then switched to NTLM, which doesn't work. Next, capturing the Kerberos traffic on the client I could see the following error from DC for the client's TGS-REQ: error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) And the Server Name value: HTTP/squid-server.my.domain:8080 This is definitely wrong, because the principal should be just HTTP/squid-server.my.domain without the :8080 (which is the port my squid listen's on). I don't know why this is added to the request. So, checked this with the spnquery.vbs (from a Windows machine, available from here: http://technet.microsoft.com/library/ee176972.aspx): >cscript spnquery.vbs http/squid-server* my.domain CN=squid-server-K,CN=Computers,DC=my,DC=domain Class: computer Computer DNS: squid-server.my.domain -- HTTP/squid-server.my.domain -- host/squid-server.my.domain That is as it should be, HTTP and Host SPNs. But, the Google Talk client tries to get a ticket with another SPN. So, to work around this, I added a new SPN (again, from Windows): >setspn -A http/squid-server.my.domain:8080 squid-server-K Checked the records again: >cscript spnquery.vbs http/squid-server* my.domain CN=squid-server-K,CN=Computers,DC=my,DC=domain Class: computer Computer DNS: squid-server.my.domain -- http/squid-server.my.domain:8080 -- HTTP/squid-server.my.domain -- host/squid-server.my.domain And now Google Talk client authenticates correctly using Squid with Kerberos. Regards, Tuukka
