Re: [squid-users] Re: Unable to get Firefox to authenticate via Kerberos

From: Mike Bordignon \(GMI\) <mike_at_gmi.co.nz>
Date: Wed, 03 Feb 2010 09:47:48 +1300

I did read that I shouldn't use DES but I wasn't able to get it going
with RC4. Each time I generate
a keytab with RC4 encryption I cannot get it going after copying to my
squid box. Do I need to
do anything to Windows Server 2003 to have it generate/accept tickets
with RC4 encryption?
 From kerbtray it appears I already have other RC4 tickets, so I'm confused.

This is the command line I'm using to generate the keytab:

ktpass -princ HTTP/fqdn_at_REALM -mapuser user_at_REALM -pass password -ptype
KRB5_NT_SRV_HST -out squid.keytab

The errors I receive in cache.log after generating the keytab with
ktpass are as follows;

2010/02/03 09:45:49| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2010/02/03 09:45:49| squid_kerb_auth: parseNegTokenInit failed with rc=101
2010/02/03 09:45:49| squid_kerb_auth: received type 1 NTLM token

In /etc/krb5.conf I have;
   permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
   default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
   default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

Any suggestions?

-------- Original Message --------
Subject: [squid-users] Re: Unable to get Firefox to authenticate via
Kerberos
From: Markus Moeller <huaraz_at_moeller.plus.com>
To: squid-users_at_squid-cache.org
Date: 2/02/2010 7:21 p.m.
> BTW You shouldn't use anymore DES encryption as it is too weak and
> will be disabled in future Kerberos libraries (as you have noticed in
> windows 7). Use RC4 or AES.
>
> Markus
>
> "Mike Bordignon (GMI)" <mike_at_gmi.co.nz> wrote in message
> news:4B676552.20907_at_gmi.co.nz...
>>
>> No matter - this was the problem
>> http://www.mcplusa.com/blog/2009/10/authentication-with-kerberos-on-windows-7-and-the-google-search-appliance/
>>
>>
>>
>> -------- Original Message --------
>> Subject: [squid-users] Unable to get Firefox to authenticate via
>> Kerberos
>> From: Mike Bordignon (GMI) <mike_at_gmi.co.nz>
>> To: squid-users_at_squid-cache.org
>> Date: 2/02/2010 11:03 a.m.
>>> Hello,
>>>
>>> I've recently managed to setup squid3.0 (STABLE8, on Debian Lenny) to
>>> authenticate requests via a Win2003 machine over Kerberos. It's working
>>> well with IE7 (on XP), but neither IE8 nor FF3.0 (both on Windows 7)
>>> will authenticate successfully. When I configure a squid_ldap_auth
>>> backup it will authenticate, but when I specify only negotiate it will
>>> fail miserably.
>>>
>>> This is what I'm getting in cache.log:
>>>
>>> 2010/02/02 10:53:48| squid_kerb_auth: Got 'YR
>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
>>> (length: 59).
>>> 2010/02/02 10:53:48| squid_kerb_auth: parseNegTokenInit failed with
>>> rc=101
>>> 2010/02/02 10:53:48| squid_kerb_auth: received type 1 NTLM token
>>>
>>> This puzzles me as I've setup network.negotiate-auth.trusted-uris in
>>> Firefox correctly (I've tried setting it to both domain.com and
>>> proxy.domain.com). Using kerbtray I don't appear to have any tickets
>>> for
>>> http/fqdn/realm.com. Should I have? Do I need to restart Windows?
>>>
>>> IE8 appears to prompt for Integrated Security but when I enter my
>>> credentials nothing happens. The same log entry above appears.
>>>
>>> Any help much appreciated.
>>>
>>>
>>>
>>> cheers
>>> Mike
>>
>
>

-- 
Mike Bordignon
Gareth Morgan Investments
p: +64 4 494 6076
m: +64 21 614 308
w: http://gmi.co.nz
Received on Tue Feb 02 2010 - 20:47:55 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 03 2010 - 12:00:02 MST