Re: [squid-users] Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2

On 26/10/2010 14:58, "DmitrySh" <sbros_v_at_inbox.lv> wrote:

>
>
>Nick Cairncross wrote:
>>
>>
>> Hi Paul,
>> Just my thoughts (which are minor in relation to the power of other
>> listers..!): Are you specifically running the 64-bit version of IE? How
>> does your DNS look? A/PTR records all in order? What does kerbtray show?
>> What encoding for kerberos are you using? What does klist -ekt <keytab>
>> show? Correct FQDN in your browser?
>> Cheers
>> Nick
>>
>I think we can exclude mistake in FQDN in browser, 64-bit version of
>browser
>(couse im' using 32-bit OS and browsers)
>In kerbtray i have some keys
>HTTP/squidhostname.domain.com - AES256-CTS-HMAC-SHA1-96
>krbtgt/DOMAIN.COM - RSADSI-RC4-HMAC
>
>in keytab file 3 records with different encryption types:
> ArcFour with HMAC/md5
>AES-128 CTS mode with 96-bit SHA-1 HMAC
>AES-256 CTS mode with 96-bit SHA-1 HMAC
>
>What about DNS, how this can affect on helper work?
>
>Regards,
>Dmitry Gorbunov
>--
>View this message in context:
>http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication-using-sq
>uid-kerb-auth-with-Internet-Explorer-8-on-Windows-Server-2008-R2-tp3013070
>p3013748.html
>Sent from the Squid - Users mailing list archive at Nabble.com.

That seems ok so far. DNS correctness is essential for Kerberos (A and
PTR) but that sounds like its ok for you if other clients are ok. As are
SPNs and KVNO. I have 2008 x86 servers in a 2003 AD environment and I
don't have any issues with them (that I know of). What's your AD 2008 or
2003?

Did you use msktutil to create your keytab or ktpass? I found a few issues
with ktpass. Are you authenticating against the same computer as the squid
server or a dummy account?

Here's my set up. I am Squid 3STABLE20 though..

6 07/22/10 10:46:26 HTTP/squid1_at_FQDN (DES cbc mode with CRC-32)
6 07/22/10 10:46:26 HTTP/squid1_at_FQDN (DES cbc mode with RSA-MD5)
6 07/22/10 10:46:26 HTTP/squid1_at_FQDN (ArcFour with HMAC/md5)
6 07/22/10 10:46:26 HTTP/squid1.fqdn_at_FQDN (DES cbc mode with CRC-32)
6 07/22/10 10:46:26 HTTP/squid1.fqdn_at_FQDN (DES cbc mode with RSA-MD5)
6 07/22/10 10:46:26 HTTP/squid1.fqdn_at_FQDN (ArcFour with HMAC/md5)

(I generated my keytab to include the short name as well as long)

default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

Server 2008 shows a key for HTTP/squid1.fqdn_at_FQDN RSADSI-RC4-HMAC

I will shortly be building a 3.1.8 squid box for upgrade and can report
back on that.

Nick

The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author.

The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Received on Tue Oct 26 2010 - 16:02:46 MDT