RE: [squid-users] Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2

From: Paul Freeman <paul.freeman_at_eml.com.au>
Date: Wed, 27 Oct 2010 07:19:52 +1100

Hi Markus
My AD servers (I have 2) are both Windows 2008 R2. AD is running at the 2003
functional level. The AD environment is the same one that is working OK with
Squid and Kerberos authentication for Windows XP workstations running IE8.

Regards

Paul

> -----Original Message-----
> From: Markus Moeller [mailto:huaraz_at_moeller.plus.com]
> Sent: Wednesday, 27 October 2010 5:09 AM
> To: squid-users_at_squid-cache.org
> Subject: [squid-users] Re: Authentication using squid_kerb_auth with
> Internet Explorer 8 on Windows Server 2008 R2
>
> Hi Paul,
>
> Is your AD server 2003 or 2008 ?
>
> Markus
>
> "Paul Freeman" <paul.freeman_at_eml.com.au> wrote in message
> news:19672EECFB9AE340833C84F3E90B5956042A4932_at_mel-ex-01.eml.local...
> Hi.
> I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have
> enabled
> Kerberos/NTLM authentication using the squid_kerb_auth helper. This
> setup
> is
> working well and successfully authenticates Windows domain users when
> they
> are logged in using their domain credentials on Windows XP workstations
> using
> Internet Explorer (v6,7 and 8) and Firefox.
>
> Squid is configured with two helpers, the first, squid_kerb_auth and
> the
> second, the Samba ntlm helper.
>
> However, today I came across a problem when using Internet Explorer 8
> on a
> server running Windows Server 2008 R2. The IE8 enhanced security mode
> is
> disabled and the logged in user is a standard domain user. The Windows
> server is joined to the domain and is not a domain controller. The
> Windows
> server is up to date with Microsoft patches and updates.
>
> Authentication is failing for some reason. Instead of authenticating
> silently, the user is prompted for a username and password 6 times
> before
> receiving the Cache Access Denied message.
>
> If I disable the squid_kerb_auth helper in squid.conf and restart squid,
> leaving only the Samba NTLM helper, authentication works successfully.
>
> In cache.log I find:
> squid_kerb_auth: DEBUG: Got 'YR YII...
> squid_kerb_auth: DEBUG: Decode 'YII...
> squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified
> GSS
> failure. Minor code may provide more information.
> squid_kerb_auth: INFO: User not authenticated
> authenticateNegotiateHandleReply: Error validating user via Negotiate.
> Error
> returned 'BH gss_accept_sec_contect() failed: Unspecified GSS failure.
> Minor code may provide more information. '
>
> Has anyone else found this with IE8 on Windows Server 2008 R2? Is it
> due to
> the 64-bit version of IE8 or some unusual interaction between the IE8
> version
> shipped with Windows Server 2008 R2 and the squid_kerb_auth module?
>
> I have a Wireshark capture of the traffic between the browser session
> on
> Windows Server 2008 R2 and the proxy server during authentication and
> would
> like to assist with investigating the problem further if someone can
> provide
> some advice as to where to look.
>
> Regards
>
> Paul
>
Received on Tue Oct 26 2010 - 20:19:41 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 27 2010 - 12:00:05 MDT