[squid-users] Re: Re: Re: Unable to get Firefox to authenticate via Kerberos

You can get key version errors, when your client has cached the old key (a
key can be cached for up to 10 hours). Use for example kerbtray purge to
clear the client cache.

Markus

"Mike Bordignon (GMI)" <mike_at_gmi.co.nz> wrote in message
news:4B68A70B.4060209_at_gmi.co.nz...
>
> I did try msktutil at first but it crashed in flames
> (http://pastie.org/private/tjfwuprb8xdlm3hlrluwva).
> I used ktpass which was already on my server (which is R2 SP2).
>
> In any case, it's now working with RC4! I think the problem may have been
> a combination of
>
> * Taking too long to copy the key to the squid machine (is this even
> possible?)
> * Clock being out by a few minutes on one machine
> * Restart of browser and/or Win7 required
>
> Until I restarted my browser/machine, I kept getting this error;
> 2010/02/03 09:55:46| squid_kerb_auth: gss_accept_sec_context() failed:
> Unspecified GSS failure. Minor code may provide more information. Key
> version number for principal in key table is incorrect
>
>
> -------- Original Message --------
> Subject: [squid-users] Re: Re: Unable to get Firefox to authenticate via
> Kerberos
> From: Markus Moeller <huaraz_at_moeller.plus.com>
> To: squid-users_at_squid-cache.org
> Date: 3/02/2010 11:14 a.m.
>> I recall that there was a problem with ktpass. Did you use the version
>> for SP2 ? Can you try what is described in the squid wiki with msktutil ?
>>
>> Markus
>>
>>
>> "Mike Bordignon (GMI)" <mike_at_gmi.co.nz> wrote in message
>> news:4B688F74.1050607_at_gmi.co.nz...
>>>
>>> I did read that I shouldn't use DES but I wasn't able to get it going
>>> with RC4. Each time I generate
>>> a keytab with RC4 encryption I cannot get it going after copying to my
>>> squid box. Do I need to
>>> do anything to Windows Server 2003 to have it generate/accept tickets
>>> with RC4 encryption?
>>> From kerbtray it appears I already have other RC4 tickets, so I'm
>>> confused.
>>>
>>> This is the command line I'm using to generate the keytab:
>>>
>>> ktpass -princ HTTP/fqdn_at_REALM -mapuser user_at_REALM -pass password -ptype
>>> KRB5_NT_SRV_HST -out squid.keytab
>>>
>>> The errors I receive in cache.log after generating the keytab with
>>> ktpass are as follows;
>>>
>>> 2010/02/03 09:45:49| squid_kerb_auth: Got 'YR
>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
>>> (length: 59).
>>> 2010/02/03 09:45:49| squid_kerb_auth: parseNegTokenInit failed with
>>> rc=101
>>> 2010/02/03 09:45:49| squid_kerb_auth: received type 1 NTLM token
>>>
>>> In /etc/krb5.conf I have;
>>> permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>>> default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
>>> default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
>>>
>>> Any suggestions?
>>>
>>>
>>> -------- Original Message --------
>>> Subject: [squid-users] Re: Unable to get Firefox to authenticate via
>>> Kerberos
>>> From: Markus Moeller <huaraz_at_moeller.plus.com>
>>> To: squid-users_at_squid-cache.org
>>> Date: 2/02/2010 7:21 p.m.
>>>> BTW You shouldn't use anymore DES encryption as it is too weak and will
>>>> be disabled in future Kerberos libraries (as you have noticed in
>>>> windows 7). Use RC4 or AES.
>>>>
>>>> Markus
>>>>
>>>> "Mike Bordignon (GMI)" <mike_at_gmi.co.nz> wrote in message
>>>> news:4B676552.20907_at_gmi.co.nz...
>>>>>
>>>>> No matter - this was the problem
>>>>> http://www.mcplusa.com/blog/2009/10/authentication-with-kerberos-on-windows-7-and-the-google-search-appliance/
>>>>>
>>>>>
>>>>> -------- Original Message --------
>>>>> Subject: [squid-users] Unable to get Firefox to authenticate via
>>>>> Kerberos
>>>>> From: Mike Bordignon (GMI) <mike_at_gmi.co.nz>
>>>>> To: squid-users_at_squid-cache.org
>>>>> Date: 2/02/2010 11:03 a.m.
>>>>>> Hello,
>>>>>>
>>>>>> I've recently managed to setup squid3.0 (STABLE8, on Debian Lenny) to
>>>>>> authenticate requests via a Win2003 machine over Kerberos. It's
>>>>>> working
>>>>>> well with IE7 (on XP), but neither IE8 nor FF3.0 (both on Windows 7)
>>>>>> will authenticate successfully. When I configure a squid_ldap_auth
>>>>>> backup it will authenticate, but when I specify only negotiate it
>>>>>> will
>>>>>> fail miserably.
>>>>>>
>>>>>> This is what I'm getting in cache.log:
>>>>>>
>>>>>> 2010/02/02 10:53:48| squid_kerb_auth: Got 'YR
>>>>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
>>>>>> (length: 59).
>>>>>> 2010/02/02 10:53:48| squid_kerb_auth: parseNegTokenInit failed with
>>>>>> rc=101
>>>>>> 2010/02/02 10:53:48| squid_kerb_auth: received type 1 NTLM token
>>>>>>
>>>>>> This puzzles me as I've setup network.negotiate-auth.trusted-uris in
>>>>>> Firefox correctly (I've tried setting it to both domain.com and
>>>>>> proxy.domain.com). Using kerbtray I don't appear to have any tickets
>>>>>> for
>>>>>> http/fqdn/realm.com. Should I have? Do I need to restart Windows?
>>>>>>
>>>>>> IE8 appears to prompt for Integrated Security but when I enter my
>>>>>> credentials nothing happens. The same log entry above appears.
>>>>>>
>>>>>> Any help much appreciated.
>>>>>>
>>>>>>
>>>>>>
>>>>>> cheers
>>>>>> Mike
>>>>>
>>>>
>>>>
>>>
>>> --
>>> Mike Bordignon
>>> Gareth Morgan Investments
>>> p: +64 4 494 6076
>>> m: +64 21 614 308
>>> w: http://gmi.co.nz
>>>
>>>
>>
>>
>
> --
> Mike Bordignon
> Gareth Morgan Investments
> p: +64 4 494 6076
> m: +64 21 614 308
> w: http://gmi.co.nz
>
>
Received on Tue Feb 02 2010 - 22:54:17 MST