[squid-users] Re: Re: Re: Squid 3.1.6, Kerberos and strange browser auth behavior

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Wed, 22 Sep 2010 19:46:38 +0100

>"Aleksandar Ciric" <aciric79_at_yahoo.com> wrote in message
>news:375975.43025.qm_at_web114214.mail.gq1.yahoo.com...
>Gentoo Squid, IE browser
>
>1. GET google
>2. 407, Proxy-Authenticate: Negotiate\r\n
>3. GET google, Proxy-Authorization: Negotiate <token>, NTLMSSP
>4. 407, Proxy-Authenticate: Negotiate\r\n

Interesting. I thought Negotiate will use Kerberos first and then NTLM.

>5. Pass Prompt (stays on after ack)
>6. KRB5 AS-REQ/AS-REP, TGS-REQ/TGS-REP (with AD server)
>7. GET google, Proxy-Authorization: Negotiate <token>, GSS-API (SPNEGO)

What does squid say here in the logfile ? If the token is complete it should
already return 200 OK

If not 8. should return also a token after Negotiate. Can you confirm that
8. does not contain a GSSAPI token ?

>8. 407, Proxy-Authenticate: Negotiate\r\n
>pause (here I waited about a minute to type all this)
>9. Ack the pass prompt again (same user/pass, it stays filled in)
>10. KRB5 AS-REQ/AS-REP, TGS-REQ/TGS-REP (with AD server)
>11. GET google, Proxy-Authorization: Negotiate <token>, GSS-API (SPNEGO)
>12. 200 OK, Proxy-Authentication-Info: Negotiate
>
>token in 7 & 11 is exactly the same, same pvno, as are kerberos ticket
>version numbers in 6 and 10.
>
>There is no difference in 2, 4, 8 headerwise.
>
>Apparently that pause removed the need for third time, however you can
>blitz through the entire process by acknowledging pass prompt 3x in a row,
>which would only add steps 6,7&8 once more.
>
>Interesting is that a rather long pause (tried 30secs, needs about a
>minute) made all the difference.
>

Regards
Markus
Received on Wed Sep 22 2010 - 18:46:51 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 24 2010 - 12:00:03 MDT