On 12/05/11 02:34, Ricardo Nuno wrote:
>> Okay to Basic auth protocol works. Now what about the other two? you have
>> Negotiate configured as first option and NTLM configured as second.
>> It is *entirely* up to the browser which of the three options it picks to
>> use.
>> - IE is known only to pick the first it can use and not failover.
>> - Recent windows OS will not respond to NTLM by default.
>>
>> Or it could be a simpler failure in the helpers looking up the other
>> protocols tokens.
>
> Actually i narrowed the problem down it's even more weird than i tough.
> All machines joined in the domain have no issues with the squid_kerb_auth.
>
> We use WPAD on our network by DNS alias for Firefox and by DHCP for IE.
>
> The machines not joined in the domain using IE8 or IE7 for NTLM helper to work
> I had to the the following:
>
> In Internet Options->Connections-> LAN settings:
> * Remove the check from "Automatically detect settings" (Witch is
> crucial for WPAD)
> * Introduce proxy host and port manually
>
> In Internet Options->Advanced->Settings:
> * Remove the check from "Enable Integrated Windows Authentication"
>
> restart IE and it starts working again with no changes on squid or samba config.
What you have done with "Enable Integrated Windows Authentication" is
disable SSO form using the windows box login token to also login to the
proxy. The token is tightly bound to the particular username and
password spelling, domain name, and encryption hash algorithm.
This is reminding me of some earlier comments (just a few months ago)
about Windows 7 silently moving Kerberos tickets to a new form of AES
hash algorithm some older OpenSSL do not support.
>
> So some update changed the behavior of IE in this last 2 months i will
> try to find out witch one. Any clues?
>
> The way Windows 7 handles NTML was a known issue for me that I
> normally change in Local Security Policy
> or in the joined domain machines i handle it with GPO.
>
> Is there any know issue with WPAD implementation on IE?
Only a very old bug about IE cropping one byte from the WPAD filename if
the extension was >3 bytes. And old IE not understanding the IPv6 java
extensions to PAC.
Neither of those should be relevant.
> Is there any other helper i can use that could do kerberos auth and
> fall-back to NTML?
>
The negotiate_wrapper might help, but only if you are seeing complaints
about unexpected token types in your cache.log.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1Received on Thu May 12 2011 - 02:00:24 MDT
This archive was generated by hypermail 2.2.0 : Thu May 12 2011 - 12:00:02 MDT