I did try msktutil at first but it crashed in flames
(http://pastie.org/private/tjfwuprb8xdlm3hlrluwva).
I used ktpass which was already on my server (which is R2 SP2).
In any case, it's now working with RC4! I think the problem may have
been a combination of
* Taking too long to copy the key to the squid machine (is this even
possible?)
* Clock being out by a few minutes on one machine
* Restart of browser and/or Win7 required
Until I restarted my browser/machine, I kept getting this error;
2010/02/03 09:55:46| squid_kerb_auth: gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information. Key
version number for principal in key table is incorrect
-------- Original Message --------
Subject: [squid-users] Re: Re: Unable to get Firefox to authenticate via
Kerberos
From: Markus Moeller <huaraz_at_moeller.plus.com>
To: squid-users_at_squid-cache.org
Date: 3/02/2010 11:14 a.m.
> I recall that there was a problem with ktpass. Did you use the version
> for SP2 ? Can you try what is described in the squid wiki with msktutil ?
>
> Markus
>
>
> "Mike Bordignon (GMI)" <mike_at_gmi.co.nz> wrote in message
> news:4B688F74.1050607_at_gmi.co.nz...
>>
>> I did read that I shouldn't use DES but I wasn't able to get it going
>> with RC4. Each time I generate
>> a keytab with RC4 encryption I cannot get it going after copying to
>> my squid box. Do I need to
>> do anything to Windows Server 2003 to have it generate/accept tickets
>> with RC4 encryption?
>> From kerbtray it appears I already have other RC4 tickets, so I'm
>> confused.
>>
>> This is the command line I'm using to generate the keytab:
>>
>> ktpass -princ HTTP/fqdn_at_REALM -mapuser user_at_REALM -pass password
>> -ptype KRB5_NT_SRV_HST -out squid.keytab
>>
>> The errors I receive in cache.log after generating the keytab with
>> ktpass are as follows;
>>
>> 2010/02/03 09:45:49| squid_kerb_auth: Got 'YR
>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
>> (length: 59).
>> 2010/02/03 09:45:49| squid_kerb_auth: parseNegTokenInit failed with
>> rc=101
>> 2010/02/03 09:45:49| squid_kerb_auth: received type 1 NTLM token
>>
>> In /etc/krb5.conf I have;
>> permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>> default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
>> default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
>>
>> Any suggestions?
>>
>>
>> -------- Original Message --------
>> Subject: [squid-users] Re: Unable to get Firefox to authenticate via
>> Kerberos
>> From: Markus Moeller <huaraz_at_moeller.plus.com>
>> To: squid-users_at_squid-cache.org
>> Date: 2/02/2010 7:21 p.m.
>>> BTW You shouldn't use anymore DES encryption as it is too weak and
>>> will be disabled in future Kerberos libraries (as you have noticed
>>> in windows 7). Use RC4 or AES.
>>>
>>> Markus
>>>
>>> "Mike Bordignon (GMI)" <mike_at_gmi.co.nz> wrote in message
>>> news:4B676552.20907_at_gmi.co.nz...
>>>>
>>>> No matter - this was the problem
>>>> http://www.mcplusa.com/blog/2009/10/authentication-with-kerberos-on-windows-7-and-the-google-search-appliance/
>>>>
>>>>
>>>>
>>>> -------- Original Message --------
>>>> Subject: [squid-users] Unable to get Firefox to authenticate via
>>>> Kerberos
>>>> From: Mike Bordignon (GMI) <mike_at_gmi.co.nz>
>>>> To: squid-users_at_squid-cache.org
>>>> Date: 2/02/2010 11:03 a.m.
>>>>> Hello,
>>>>>
>>>>> I've recently managed to setup squid3.0 (STABLE8, on Debian Lenny) to
>>>>> authenticate requests via a Win2003 machine over Kerberos. It's
>>>>> working
>>>>> well with IE7 (on XP), but neither IE8 nor FF3.0 (both on Windows 7)
>>>>> will authenticate successfully. When I configure a squid_ldap_auth
>>>>> backup it will authenticate, but when I specify only negotiate it
>>>>> will
>>>>> fail miserably.
>>>>>
>>>>> This is what I'm getting in cache.log:
>>>>>
>>>>> 2010/02/02 10:53:48| squid_kerb_auth: Got 'YR
>>>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
>>>>> (length: 59).
>>>>> 2010/02/02 10:53:48| squid_kerb_auth: parseNegTokenInit failed
>>>>> with rc=101
>>>>> 2010/02/02 10:53:48| squid_kerb_auth: received type 1 NTLM token
>>>>>
>>>>> This puzzles me as I've setup network.negotiate-auth.trusted-uris in
>>>>> Firefox correctly (I've tried setting it to both domain.com and
>>>>> proxy.domain.com). Using kerbtray I don't appear to have any
>>>>> tickets for
>>>>> http/fqdn/realm.com. Should I have? Do I need to restart Windows?
>>>>>
>>>>> IE8 appears to prompt for Integrated Security but when I enter my
>>>>> credentials nothing happens. The same log entry above appears.
>>>>>
>>>>> Any help much appreciated.
>>>>>
>>>>>
>>>>>
>>>>> cheers
>>>>> Mike
>>>>
>>>
>>>
>>
>> --
>> Mike Bordignon
>> Gareth Morgan Investments
>> p: +64 4 494 6076
>> m: +64 21 614 308
>> w: http://gmi.co.nz
>>
>>
>
>
-- Mike Bordignon Gareth Morgan Investments p: +64 4 494 6076 m: +64 21 614 308 w: http://gmi.co.nzReceived on Tue Feb 02 2010 - 22:28:35 MST
This archive was generated by hypermail 2.2.0 : Wed Feb 03 2010 - 12:00:02 MST