Re: [squid-users] Trouble getting kerberos auth working with squid 3.0

From: Malte Schröder <maltesch_at_gmx.de>
Date: Fri, 24 Oct 2008 13:59:36 +0200

Hello,
IE6 does not support the Negotiate authentication scheme for proxies.
It does support that only against web servers.

Regards
Malte

On Fri, 24 Oct 2008 07:38:57 -0400
"Steven Cardinal" <steven.cardinal_at_gmail.com> wrote:

> Thanks Henrik,
>
> That was my issue with Firefox - it now authenticates just fine. I've
> been unable to get IE (6.0.2900.2180.xpsp_sp2_gdr.080814-1233) to
> authenticate. I know this isn't a squid-specific thing, but any ideas
> what setting in IE may be responsible for this? If not, no problem. I
> appreciate your rapid response on my main issue.
>
> Regards,
>
> Steve
>
> On Thu, Oct 23, 2008 at 3:03 PM, Henrik Nordstrom
> <henrik_at_henriknordstrom.net> wrote:
> > On tor, 2008-10-23 at 14:25 -0400, Steven Cardinal wrote:
> >> I see no sign on my DCs of any failed authentication. A tcpdump trace
> >> on my workstation shows no attempts from my Windows PC to perform any
> >> kerberos authentication. If I try running the command line specified
> >> in the squid.conf, I get:
> >
> > Then your browsers do not trust the proxy with kerberos authentication.
> > Verify that you have configured the proxy by name and not IP in the
> > browser proxy settings. To be exact the proxy name needs to match both a
> > name that the browser trusts with Kerberos authentication AND a server
> > kerberos ticket (or whatever those are called, kept in the keytab,
> > kerberos is not a strong field of mine..)
> >
> >> I'm guessing, however, that squid_kerb_auth can't be run just like
> >> that, however.
> >
> > Correct. You need to speak base64 encoded GSSAPI wrapped in Microsoft
> > Negotiate SSP protocol format wrapped in the "Squid NTLM/Negotiate
> > protocol" to it..
> >
> >> Any ideas where I should look? I set my keytab file to be
> >> world-readable as a test and that didn't help.
> >
> > It seems you don't even get that far.. the very first steps is not
> > dependent on the helper, only browser.. only when the browser agrees on
> > sending the initial negotiation packet is the helper called. Until then
> > all that happens is that Squid says that authentication is required to
> > continue and the Negotiate SSP authentication protocol is supported.
> >
> > Regards
> > Henrik
> >
>

-- 
---------------------------------------
Malte Schröder
MalteSch_at_gmx.de
ICQ# 68121508
---------------------------------------

Received on Fri Oct 24 2008 - 11:59:48 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 24 2008 - 12:00:04 MDT