RE: [squid-users] Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2

Markus
OK - I was not sure whether the Kerberos libraries used openssl code.

I have captured traffic for the following where a domain user is logged onto
a w2k8 R2 server (named my-server.my.domain for this discussion) running the
32-bit version of IE8:
1. Between my-server.my.domain and the AD servers

2. Between my-server.my.domain and the squid 3.1.8 proxy server.

I have also captured the traffic between the proxy server and the AD servers
while executing the kinit command you requested.

It's probably not a good idea to post the logs here. Is there anything you
want me to look for?

I have done some investigation and notice a couple of things which may or may
not be relevant or important:

1. When my-server.my.domain issues the TGS-REQ it specifies the fowardable,
renewable and canonicalize flags. For a similar setup except using Win XP,
only the forwardable, renewable flags are set.

2. For the browser session on my-server.my.domain I notice there are repeated
AS-REQ/TGS-REQ requests, even though as far as I can tell the requests are
granted. There are also (probably expected) multiple KRB Error:
KRB5KDC_ERR_PRE_PREAUTH_REQUIRED messages which look they match the
AS-REQ/TGS-REQ requests.

When I look in the security logs of the 2 AD domain controllers, I do not see
any failed Kerberos events but I notice the requests from server
my-server.my.domain have the Client-Address: value set to ::fff:192.168.x.y.
I presume this is am IPv6 address? IPv6 is not selected on the nic of
my-server.my.domain. For the Win XP server, there are 2 event log entries,
one for Client-Address: ::fff:192.168.x.z and the next one for Client-Address
is 192.168.x.z.

I have not observed the multiple Kerberos on Win XP.

Please let me know how I can further assist this investigation.

Regards

Paul

> -----Original Message-----
> From: Markus Moeller [mailto:huaraz_at_moeller.plus.com]
> Sent: Wednesday, 27 October 2010 9:15 AM
> To: squid-users_at_squid-cache.org
> Subject: [squid-users] Re: Authentication using squid_kerb_auth with
> Internet Explorer 8 on Windows Server 2008 R2
>
> Hi Paul,
>
> As far as I know the Kerberos libraries do not use openssl code. Can
> you
> capture the traffic between your 2008 server and AD on port 88 and
> between
> the 2008 server and squid on 3128 (the squid port). Can you also
> capture the
> traffic between squid and AD when you try a kinit -kt squid.keytab
> HTTP/my-proxy-server.my.domain_at_MY.DOMAIN
>
> Regards
> Markus
>
> "Paul Freeman" <paul.freeman_at_eml.com.au> wrote in message
> news:19672EECFB9AE340833C84F3E90B5956043780EF_at_mel-ex-01.eml.local...
> Hi Nick
> Thanks for looking at this. I appreciate your help.
>
> My answers to your questions are in line below
>
> > -----Original Message-----
> > From: Nick Cairncross [mailto:Nick.Cairncross_at_condenast.co.uk]
> > Sent: Tuesday, 26 October 2010 8:36 PM
> > To: Paul Freeman; Squid Users
> > Subject: Re: [squid-users] Authentication using squid_kerb_auth with
> > Internet Explorer 8 on Windows Server 2008 R2
> >
> >
> > On 26/10/2010 03:56, "Paul Freeman" <paul.freeman_at_eml.com.au> wrote:
> >
> >
> > >Hi.
> > >I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and
> have
> > >enabled
> > >Kerberos/NTLM authentication using the squid_kerb_auth helper. This
> > >setup is
> > >working well and successfully authenticates Windows domain users
> when
> > they
> > >are logged in using their domain credentials on Windows XP
> > workstations
> > >using
> > >Internet Explorer (v6,7 and 8) and Firefox.
> > >
> > >Squid is configured with two helpers, the first, squid_kerb_auth and
> > the
> > >second, the Samba ntlm helper.
> > >
> > >However, today I came across a problem when using Internet Explorer
> 8
> > on a
> > >server running Windows Server 2008 R2. The IE8 enhanced security
> mode
> > is
> > >disabled and the logged in user is a standard domain user. The
> > Windows
> > >server is joined to the domain and is not a domain controller. The
> > >Windows
> > >server is up to date with Microsoft patches and updates.
> > >
> > >Authentication is failing for some reason. Instead of
> authenticating
> > >silently, the user is prompted for a username and password 6 times
> > before
> > >receiving the Cache Access Denied message.
> > >
> > >If I disable the squid_kerb_auth helper in squid.conf and restart
> > squid,
> > >leaving only the Samba NTLM helper, authentication works
> successfully.
> > >
> > >In cache.log I find:
> > >squid_kerb_auth: DEBUG: Got 'YR YII...
> > >squid_kerb_auth: DEBUG: Decode 'YII...
> > >squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified
> > GSS
> > >failure. Minor code may provide more information.
> > >squid_kerb_auth: INFO: User not authenticated
> > >authenticateNegotiateHandleReply: Error validating user via
> Negotiate.
> > >Error
> > >returned 'BH gss_accept_sec_contect() failed: Unspecified GSS
> failure.
> > >Minor code may provide more information. '
> > >
> > >Has anyone else found this with IE8 on Windows Server 2008 R2? Is
> it
> > due
> > >to
> > >the 64-bit version of IE8 or some unusual interaction between the
> IE8
> > >version
> > >shipped with Windows Server 2008 R2 and the squid_kerb_auth module?
> > >
> > >I have a Wireshark capture of the traffic between the browser
> session
> > on
> > >Windows Server 2008 R2 and the proxy server during authentication
> and
> > >would
> > >like to assist with investigating the problem further if someone can
> > >provide
> > >some advice as to where to look.
> > >
> > >Regards
> > >
> > >Paul
> >
> >
> > Hi Paul,
> > Just my thoughts (which are minor in relation to the power of other
> > listers..!): Are you specifically running the 64-bit version of IE?
> How
> > does your DNS look? A/PTR records all in order? What does kerbtray
> show?
> > What encoding for kerberos are you using? What does klist -ekt
> <keytab>
> > show? Correct FQDN in your browser?
> > Cheers
> > Nick
> >
> I presumed IE8 was the 64-bit version but on further checking I have
> found
> it
> is the 32-bit version. The 64-bit version is also installed and I have
> tried
> that with the same result.
>
> As far as I know (I set DNS up :-) ), DNS is configured correctly with
> forward and reverse records.
>
> I checked the Kerberos tickets on a Windows XP workstation that
> authenticates
> correctly to squid using IE8 (32-bit) and the Windows 2008 R2 server
> using
> IE8 (32-bit and 64-bit) and found tickets for the proxy server as
> follows:
>
> Win XP Workstation:
> Server: HTTP/my-proxy-server.my.domain_at_MY.DOMAIN
> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
> End Time: 10/27/2010 17:37:35
> Renew Time: 11/3/2010 7:37:35
>
> Win 2008 R2 server:
> Client" my.login @ MY.DOMAIN
> Server: HTTP/my-proxy-server.my.domain @ MY.DOMAIN
> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
> Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
> Start Time: 10/27/2010 7:30:13 (local)
> End Time: 10/27/2010 17:17:38 (local)
> Renew Time: 11/3/2010 7:17:38 (local)
> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>
> The key difference is the ticket encryption type: RC4-HMAC for Win XP
> vs
> AES-256-HMAC-SHA1 for Win 2008 R2.
>
> On the proxy server, klist -ekt ticket_file shows:
> KVNO Timestamp Principal
> 2 09/24/10 12:54:16 HTTP/my-proxy-server.my.domain_at_MY.DOMAIN
> (ArcFour with HMAC/md5)
> 2 09/24/10 12:54:16 HTTP/my-proxy-server.my.domain_at_MY.DOMAIN
> (AES-128 CTS mode with 96-bit SHA-1 HMAC)
> 2 09/24/10 12:54:16 HTTP/my-proxy-server.my.domain_at_MY.DOMAIN
> (AES-256 CTS mode with 96-bit SHA-1 HMAC)
>
> I have just remembered that I recently came across a problem with AES-
> 256
> encryption on Ubuntu 10.04LTS. I discovered this when I found I could
> not
> establish a https session to a Linux web server which was using a
> certificate
> I had issued from the Windows Certificate Service on Windows 2008 R2.
> The
> problem turned out to be the certificate was signed by the Root CA
> using
> AES-256. After some "Googling" I found OpenSSL on Ubuntu could not
> manage
> this encryption type. I changed the Root CA encryption type to sha1
> and
> re-issued the linux web server certificate and all was well
>
> I suspect the Kerberos problem I am seeing when authenticating to squid
> is
> similar. Windows 2008 R2 is encrypting using AES-256 but
> squid/kerberos
> cannot decrypt this successfully. Does this sound feasible?
>
> Can I force Windows 2008 R2 to use a different encryption type or can I
> get
> OpenSSL (which I presume is used for the encryption/decryption in
> Kerberos
> on
> Linux) to support AES-256?
>
> Can I debug this further to confirm this?
>
> Regards
>
> Paul
>
> >
> >
> >
> > The information contained in this e-mail is of a confidential nature
> > and is intended only for the addressee. If you are not the intended
> > addressee, any disclosure, copying or distribution by you is
> prohibited
> > and may be unlawful. Disclosure to any party other than the
> addressee,
> > whether inadvertent or otherwise, is not intended to waive privilege
> or
> > confidentiality. Internet communications are not secure and
> therefore
> > Conde Nast does not accept legal responsibility for the contents of
> > this message. Any views or opinions expressed are those of the
> author.
> >
> > The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover
> > Square, London W1S 1JU
>
Received on Wed Oct 27 2010 - 08:09:29 MDT