Thanks Henrik,
That was my issue with Firefox - it now authenticates just fine. I've
been unable to get IE (6.0.2900.2180.xpsp_sp2_gdr.080814-1233) to
authenticate. I know this isn't a squid-specific thing, but any ideas
what setting in IE may be responsible for this? If not, no problem. I
appreciate your rapid response on my main issue.
Regards,
Steve
On Thu, Oct 23, 2008 at 3:03 PM, Henrik Nordstrom
<henrik_at_henriknordstrom.net> wrote:
> On tor, 2008-10-23 at 14:25 -0400, Steven Cardinal wrote:
>> I see no sign on my DCs of any failed authentication. A tcpdump trace
>> on my workstation shows no attempts from my Windows PC to perform any
>> kerberos authentication. If I try running the command line specified
>> in the squid.conf, I get:
>
> Then your browsers do not trust the proxy with kerberos authentication.
> Verify that you have configured the proxy by name and not IP in the
> browser proxy settings. To be exact the proxy name needs to match both a
> name that the browser trusts with Kerberos authentication AND a server
> kerberos ticket (or whatever those are called, kept in the keytab,
> kerberos is not a strong field of mine..)
>
>> I'm guessing, however, that squid_kerb_auth can't be run just like
>> that, however.
>
> Correct. You need to speak base64 encoded GSSAPI wrapped in Microsoft
> Negotiate SSP protocol format wrapped in the "Squid NTLM/Negotiate
> protocol" to it..
>
>> Any ideas where I should look? I set my keytab file to be
>> world-readable as a test and that didn't help.
>
> It seems you don't even get that far.. the very first steps is not
> dependent on the helper, only browser.. only when the browser agrees on
> sending the initial negotiation packet is the helper called. Until then
> all that happens is that Squid says that authentication is required to
> continue and the Negotiate SSP authentication protocol is supported.
>
> Regards
> Henrik
>
Received on Fri Oct 24 2008 - 11:39:01 MDT
This archive was generated by hypermail 2.2.0 : Fri Oct 24 2008 - 12:00:04 MDT