[squid-users] Authenticate domain user from Nick Cairncross on 2010-06-30 (squid-users)

From: Nick Cairncross <Nick.Cairncross_at_condenast.co.uk>
Date: Wed, 30 Jun 2010 20:49:50 +0100

Hi All,

I use Kerberos authentication for my domain computers and users. All works well except for the following scenario: If a non-domain PC (i.e. workgroup) is pointed to squid (fqdn) I receive an unsatisfiable login prompt for my squid proxy. After three attempts with domain\username and password if I then click on the link displayed on the Access Denied squid error (e.g. www.Hotmail.com) I am able to access the browse the internet. Strange, no?

Cache.log show for the three fails

2010/06/30 15:03:56| squid_kerb_auth: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 59).
2010/06/30 15:03:56| squid_kerb_auth: Decode 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded length: 40).
2010/06/30 15:03:56| squid_kerb_auth: received type 1 NTLM token
2010/06/30 15:03:56| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2010/06/30 15:03:56| squid_kerb_auth: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 59).
2010/06/30 15:03:56| squid_kerb_auth: Decode 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded length: 40).
2010/06/30 15:03:56| squid_kerb_auth: received type 1 NTLM token
2010/06/30 15:03:56| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'

And then shows my token & username etc as expected when I click on the 'denied' web-link..

Any help would be greatly appreciated
N

The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author.

The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Received on Wed Jun 30 2010 - 19:49:59 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 01 2010 - 12:00:04 MDT