[squid-users] Re: Squid 3.0 STABLE 19 and SPNEGO with Windows Firefox 3.6.3

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Tue, 7 Sep 2010 19:53:48 +0100

Hi Paul,

>"Paul Freeman" <paul.freeman_at_eml.com.au> wrote in message
>news:19672EECFB9AE340833C84F3E90B595604014244_at_mel-ex-01.eml.local...
>Hi
>I am running Squid 3.0STABLE19 on Ubuntu 10.04LTS as a "normal"
>(non-transparent) proxy server for a number of Windows workstations in an
>Active Directory environment using W2K8R2 domain controller servers running
>in W2K3 functional mode.
>
>I have implemented suthenitcation in Squid using the squid_kerb_auth module
>from Markus Moeller. Authentication is working fine for users logging in
>using domain credentials on domain registered workstations using both IE7
>and
>8 on Windows XP and Firefox 3.6.3.
>
>However, I would like to allow the occasional non-domain user to have
>internet access via Squid and so it would be helpful for a login dialog box
>to be presented. When IE 7 and 8 are used, this occurs and authentication
>is
>successful. However, with Firefox it does not and an error is returned by
>Squid - Access Denied.
>
>Looking at some packet dumps between the Windows workstation and Squid
>shows
>that Firefox tries a few times to auth then gives up. Enabling logging in
>Firefox reveals Firefox responds similarly to IE with a GET request with a
>Proxy-Authorization: Negotiate ..... header. In the Squid cache log it
>indicates:
>
>squid_kerb_auth: Got 'YR T1RMT...AAAADw==' from squid (length 59).
>squid_kerb_auth: received type 1 NTLM token
>
>However, unlike IE, it then gives up whereas IE then initiates a KRB5
>AS-REQ
>to a domain controller then gets a ticket and then contacts Squid again at
>which point it authenticates.
>

I would like to know some more details here. Do you also see a KRB5 AS-REQ
at any time before ? Can you use kerbtray from MS and list Kerberos tickets
for the non domain user ?

>In the Firefox log, just before the GET request, it shows:
>
>service = fqdn.of.squid.proxy
>using negotiate-sspi
>using SPN of [HTTP/fqdn.of.squid.proxy]]
>AcquireCredentailsHandle() succeeded
>nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate]
>entering nsAuthSSPI::GetNextToken()
>InitializeSecurityContext: continue
>Sending a token of length 40
>
>Then after sending the GET request and receiving the Squid 407 response it
>shows:
>nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate]
>entering nsAuthSSPI::GetNextToken()
>Cannot restart authentication sequence!
>

Does Firefox work after you used IE ? e.g. does IE cache credentials which
can be used by Firefox ?

Do you see any Kerberos traffic ? Do you see DNS SRV requests to determine
the kdc ?

>Does Firefox not like the Squid HTTP1.0 Proxy-Connection: close response in
>response to its HTTP1.1 Proxy-Connection: keep-alive GET request?
>
>I am puzzled as to whether Squid, Firefox or IE is behaving as one would
>expect given the scenario?
>
>Does anyone have any ideas?
>
>If Squid and Firefox are behaving correctly but IE is doing a workaround
>then
>that is OK and I will need to live with the situation.
>
>I am happy to perform additional debug work to investigate the problem
>further.
>
>I have tried various settings in the Firefox about:config -
>network.negotiate-auth.trusted-uris configuration item, and other similar
>related settings mentioned in other posts but without success.
>
>Reading some Mozilla Dev postings over the last 12 months or so indicate
>there have been some issues with NTLM and Kerberos in various versions of
>Firefox but I think these have been addressed.
>
>Thanks in advance
>
>Paul Freeman
>
>
>__________ Information from ESET Smart Security, version of virus signature
>database 5429 (20100906) __________
>
>The message was checked by ESET Smart Security.
>
>http://www.eset.com
>

Markus
Received on Tue Sep 07 2010 - 18:54:11 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 08 2010 - 12:00:03 MDT