[squid-users] Squid 3.0 STABLE 19 and SPNEGO with Windows Firefox 3.6.3

From: Paul Freeman <paul.freeman_at_eml.com.au>
Date: Tue, 7 Sep 2010 17:02:56 +1000

Hi
I am running Squid 3.0STABLE19 on Ubuntu 10.04LTS as a "normal"
(non-transparent) proxy server for a number of Windows workstations in an
Active Directory environment using W2K8R2 domain controller servers running
in W2K3 functional mode.

I have implemented suthenitcation in Squid using the squid_kerb_auth module
from Markus Moeller. Authentication is working fine for users logging in
using domain credentials on domain registered workstations using both IE7 and
8 on Windows XP and Firefox 3.6.3.

However, I would like to allow the occasional non-domain user to have
internet access via Squid and so it would be helpful for a login dialog box
to be presented. When IE 7 and 8 are used, this occurs and authentication is
successful. However, with Firefox it does not and an error is returned by
Squid - Access Denied.

Looking at some packet dumps between the Windows workstation and Squid shows
that Firefox tries a few times to auth then gives up. Enabling logging in
Firefox reveals Firefox responds similarly to IE with a GET request with a
Proxy-Authorization: Negotiate ..... header. In the Squid cache log it
indicates:

squid_kerb_auth: Got 'YR T1RMT...AAAADw==' from squid (length 59).
squid_kerb_auth: received type 1 NTLM token

However, unlike IE, it then gives up whereas IE then initiates a KRB5 AS-REQ
to a domain controller then gets a ticket and then contacts Squid again at
which point it authenticates.

In the Firefox log, just before the GET request, it shows:

service = fqdn.of.squid.proxy
using negotiate-sspi
using SPN of [HTTP/fqdn.of.squid.proxy]]
AcquireCredentailsHandle() succeeded
nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate]
entering nsAuthSSPI::GetNextToken()
InitializeSecurityContext: continue
Sending a token of length 40

Then after sending the GET request and receiving the Squid 407 response it
shows:
nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate]
entering nsAuthSSPI::GetNextToken()
Cannot restart authentication sequence!

Does Firefox not like the Squid HTTP1.0 Proxy-Connection: close response in
response to its HTTP1.1 Proxy-Connection: keep-alive GET request?

I am puzzled as to whether Squid, Firefox or IE is behaving as one would
expect given the scenario?

Does anyone have any ideas?

If Squid and Firefox are behaving correctly but IE is doing a workaround then
that is OK and I will need to live with the situation.

I am happy to perform additional debug work to investigate the problem
further.

I have tried various settings in the Firefox about:config -
network.negotiate-auth.trusted-uris configuration item, and other similar
related settings mentioned in other posts but without success.

Reading some Mozilla Dev postings over the last 12 months or so indicate
there have been some issues with NTLM and Kerberos in various versions of
Firefox but I think these have been addressed.

Thanks in advance

Paul Freeman
 

__________ Information from ESET Smart Security, version of virus signature
database 5429 (20100906) __________

The message was checked by ESET Smart Security.

http://www.eset.com
 
Received on Tue Sep 07 2010 - 07:02:55 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 08 2010 - 12:00:03 MDT