[squid-users] Re: Authenticate domain user

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Thu, 1 Jul 2010 21:20:53 +0100

What is you access config ? Maybe you have a line which gives also
unauthenticated users access to hotmail.

BTW Do you want the workgroup users to have access after authentication ? I
tested that it might work if you provide via dhcp a WINS server which has an
entry for the Kerberos domain. Then users can use a domain
username/password from a workgroup PC.

Markus

"Nick Cairncross" <Nick.Cairncross_at_condenast.co.uk> wrote in message
news:7C792063A22DFB40A9387B1D11B012F660CBFEF232_at_EXMB01.uk.conde-nast.biz...
Hi All,

I use Kerberos authentication for my domain computers and users. All works
well except for the following scenario: If a non-domain PC (i.e. workgroup)
is pointed to squid (fqdn) I receive an unsatisfiable login prompt for my
squid proxy. After three attempts with domain\username and password if I
then click on the link displayed on the Access Denied squid error (e.g.
www.Hotmail.com) I am able to access the browse the internet. Strange, no?

Cache.log show for the three fails

2010/06/30 15:03:56| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2010/06/30 15:03:56| squid_kerb_auth: Decode
'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded length:
40).
2010/06/30 15:03:56| squid_kerb_auth: received type 1 NTLM token
2010/06/30 15:03:56| authenticateNegotiateHandleReply: Error validating user
via Negotiate. Error returned 'BH received type 1 NTLM token'
2010/06/30 15:03:56| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2010/06/30 15:03:56| squid_kerb_auth: Decode
'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded length:
40).
2010/06/30 15:03:56| squid_kerb_auth: received type 1 NTLM token
2010/06/30 15:03:56| authenticateNegotiateHandleReply: Error validating user
via Negotiate. Error returned 'BH received type 1 NTLM token'

And then shows my token & username etc as expected when I click on the
'denied' web-link..

Any help would be greatly appreciated
N

The information contained in this e-mail is of a confidential nature and is
intended only for the addressee. If you are not the intended addressee, any
disclosure, copying or distribution by you is prohibited and may be
unlawful. Disclosure to any party other than the addressee, whether
inadvertent or otherwise, is not intended to waive privilege or
confidentiality. Internet communications are not secure and therefore Conde
Nast does not accept legal responsibility for the contents of this message.
Any views or opinions expressed are those of the author.

The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square,
London W1S 1JU
Received on Thu Jul 01 2010 - 20:25:11 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 02 2010 - 12:00:03 MDT