[squid-users] Re: Simple Kerberos/Squid configuration "received type 1 NTLM token" from Markus Moeller on 2010-09-29 (squid-users)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Wed, 29 Sep 2010 23:00:50 +0100

"Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
news:i806q2$qmh$1_at_dough.gmane.org...
>
> "barbarossa" <bDmanLIB_at_hotmail.com> wrote in message
> news:1285759672914-2718780.post_at_n4.nabble.com...
>>
>> I don't know why, but authenticating in the IE login dialog using
>> kerberos
>> credentials works now (user_at_REALM.COM, same as for FF).
>>
>> For most of the page requests, squid writes to cache.log logs as the
>> following:
>>
>> 2010/09/29 11:19:50| squid_kerb_auth: Got 'YR
>> YIICOQYGKwYBBQUCoIICLTCCAimgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCAf8EggH7YIIB9wYJKoZIhvcSAQICAQBuggHmMIIB4qADAgEFoQMCAQ6iBwMFACAAAACjggEMYYIBCDCCAQSgAwIBBaELGwlWVUIuQUMuQkWiJjAkoAMCAQKhHTAbGwRIVFRQGxNiaWJscGMwODMudnViLmFjLmJlo4HHMIHEoAMCARChAwIBB6KBtwSBtPoenXEkU4igJAThT303vjwwg341PcMmhtLaUG2gZmawDKB/X3sNckogjaW8Wi369+gAImmO6wDwI+Yk8ZTvkBrLWhtBZqUuYteErlaOganW5aNwOYFAs14RMtlafCNtiZfwAQwPM56aNMDEykBXu9k6y00LDkExdAHlWX1DySmoI8r0W281EKmQ/QyUiZcahoHepQiXrW7JdnFicdcYqmLq2rkMlGzJnUyhVO+vA5PE7pmlq6SBvDCBuaADAgEXooGxBIGuT/78/guqfh1tzh/JOmeIiEzL3m3ZLNkMIWyqvoq23+ZEKBVZTWK1XPbg3cczH1L2S0tm2tLRjIyZQWmW8SkyMLFNgB7krSQBmqLQ4sTxsVCKtcRFwPsqZD5YL6Enzh/gTcYP/WgfncPOaD2+/tT7NYzxedaoHjfg5WbS163YujIu7eMHh2xQ08n53JBhhwDfOQdAtnSrlNgUsoQJwPsL+6eDziGQKcEFFw9MM8dJ'
>> from squid (length: 767).
>> 2010/09/29 11:19:50| squid_kerb_auth: parseNegTokenInit failed with
>> rc=102
>> 2010/09/29 11:19:50| squid_kerb_auth: AF
>> oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWktM3mOHT3CdVuGDl7VN64DKZ478GfooqXyH+JFSlneeXjdxNpRCxIF1JD0mfn+gLL0ud5P7SOHMbDX3cDj4B14ghldzGdKUyoFBZbGKoNSZMT3sCDEw0Gx2MA==
>> user_at_REALM.COM
>>
>> Is this normal?
>>
>
> Yes this (parseNegTokenInit failed with rc=102) is normal for a Kerberos
> library which does not support SPNEGO natively.
>
>> As for IE, it probably deletes the ticket it created when exiting, as
>> each
>> time I exit I must reauthenticate. Why does it not use the MIT ticket?
>> Is
>> there a solution for this (creating "Windows" Kerberos tickets,
>> configuring
>> IE to use MIT tickets, ...).
>>
>
> This is a security feature in Windows. It is not possible for an external
> application to write into the ticket cache. For Vista/7 it might be
> possible, but I think the netidmgr has not implemented it.
>
> You could setup your systems to authenticate users against the kdc e.g.
> use the kdc like an AD server together with a mapping of local users to
> kdc users. (There have been glogs about this although I don't reacll the
> link)
>

This might be a starting point
http://technet.microsoft.com/en-us/library/cc736890%28WS.10%29.aspx and
http://sial.org/howto/kerberos/windows/

>> Thanks!
>> --
>> View this message in context:
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Simple-Kerberos-Squid-configuration-received-type-1-NTLM-token-tp2553379p2718780.html
>> Sent from the Squid - Users mailing list archive at Nabble.com.
>>
>
> Markus
>
>
Received on Wed Sep 29 2010 - 22:01:05 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 30 2010 - 12:00:04 MDT