Re: [squid-users] Squid with AD Authendication problem (windows 2003)- please help

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 09 Mar 2011 22:18:20 +1300

On 09/03/11 18:02, Sharik M wrote:
> I have configured squid with AD authentication its working fine

Great, so you have no problems.

> but I am getting lots of error for authentication failed.
>

  "working fine" equals "lots of error"

Oh dear, you (any many others) need to seek psychiatric help. You have
been overdosed with marketing language or political speak.

/jokses

>
> squid-2.5.STABLE14-1.4E
> samba-3.0.10-1.4E.11
>

With todays technology trends towards HTTP/1.1 and dynamic content you
need to look at upgrading Squid soonish.

Given the versions I'll take a wild guess and say this page might be of
some interest:
   http://wiki.squid-cache.org/KnowledgeBase/RedHat

>
> Windows 2003 Domain Audit log failure.
>
>
> Pre-authentication failed:
> User Name: proxy$
> User ID: DOMAIN\proxy$
> Service Name: krbtgt/DOMAIN.HOME
> Pre-Authentication Type: 0x0
> Failure Code: 0x19
> Client Address: 10.1.5.12
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>

K, for starters...

"Pre-Authentication" is a general term for what Kerberos or NTLM login
*are*.

The browser logs into the DC, then sends a ticket from that
existing/"pre" login along with requests, so that the Squid helper can
ask the DC for permission to let the ticket holder connect.

Squid is merely the middleware and has nothing to do with the auth
ticket itself. It is received from the browser and passed unchanged to
the DC.

Somebody on the network it using stale or invalid login tickets. The
ones with machine account tickets sounds like they may possibly be the
Squid box with a stale ticket. The ones for usernames are more likely
stale tickets the users machines have.

Good luck.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.11
   Beta testers wanted for 3.2.0.5
Received on Wed Mar 09 2011 - 09:18:29 MST

This archive was generated by hypermail 2.2.0 : Wed Mar 09 2011 - 12:00:01 MST