On 26/10/2010 03:56, "Paul Freeman" <paul.freeman_at_eml.com.au> wrote:
>Hi.
>I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have
>enabled
>Kerberos/NTLM authentication using the squid_kerb_auth helper. This
>setup is
>working well and successfully authenticates Windows domain users when they
>are logged in using their domain credentials on Windows XP workstations
>using
>Internet Explorer (v6,7 and 8) and Firefox.
>
>Squid is configured with two helpers, the first, squid_kerb_auth and the
>second, the Samba ntlm helper.
>
>However, today I came across a problem when using Internet Explorer 8 on a
>server running Windows Server 2008 R2. The IE8 enhanced security mode is
>disabled and the logged in user is a standard domain user. The Windows
>server is joined to the domain and is not a domain controller. The
>Windows
>server is up to date with Microsoft patches and updates.
>
>Authentication is failing for some reason. Instead of authenticating
>silently, the user is prompted for a username and password 6 times before
>receiving the Cache Access Denied message.
>
>If I disable the squid_kerb_auth helper in squid.conf and restart squid,
>leaving only the Samba NTLM helper, authentication works successfully.
>
>In cache.log I find:
>squid_kerb_auth: DEBUG: Got 'YR YII...
>squid_kerb_auth: DEBUG: Decode 'YII...
>squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS
>failure. Minor code may provide more information.
>squid_kerb_auth: INFO: User not authenticated
>authenticateNegotiateHandleReply: Error validating user via Negotiate.
>Error
>returned 'BH gss_accept_sec_contect() failed: Unspecified GSS failure.
>Minor code may provide more information. '
>
>Has anyone else found this with IE8 on Windows Server 2008 R2? Is it due
>to
>the 64-bit version of IE8 or some unusual interaction between the IE8
>version
>shipped with Windows Server 2008 R2 and the squid_kerb_auth module?
>
>I have a Wireshark capture of the traffic between the browser session on
>Windows Server 2008 R2 and the proxy server during authentication and
>would
>like to assist with investigating the problem further if someone can
>provide
>some advice as to where to look.
>
>Regards
>
>Paul
Hi Paul,
Just my thoughts (which are minor in relation to the power of other
listers..!): Are you specifically running the 64-bit version of IE? How
does your DNS look? A/PTR records all in order? What does kerbtray show?
What encoding for kerberos are you using? What does klist -ekt <keytab>
show? Correct FQDN in your browser?
Cheers
Nick
The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author.
The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Received on Tue Oct 26 2010 - 09:35:38 MDT
This archive was generated by hypermail 2.2.0 : Wed Oct 27 2010 - 12:00:05 MDT