Re: [squid-users] Squid Kerberos Authentication

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 15 Jul 2011 14:31:03 +1200

On 15/07/11 13:47, Daniel Faulknor wrote:
> Hi,
>
> I've followed the
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
> howto, and I am now getting this error in my cache.log
>
> 2011/07/15 12:13:45| squid_kerb_auth: WARNING: received type 1 NTLM token
> 2011/07/15 12:13:45| authenticateNegotiateHandleReply: Error
> validating user via Negotiate. Error returned 'BH received type 1 NTLM
> token'
> 2011/07/15 12:13:54| squid_kerb_auth: DEBUG: Got 'YR
> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid
> (length: 59).
> 2011/07/15 12:13:54| squid_kerb_auth: DEBUG: Decode
> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded
> length: 40).
> 2011/07/15 12:13:54| squid_kerb_auth: WARNING: received type 1 NTLM token
> 2011/07/15 12:13:54| authenticateNegotiateHandleReply: Error
> validating user via Negotiate. Error returned 'BH received type 1 NTLM
> token'
>
> This happens both when trying to access via the proxy using IE/Chrome/Firefox
>
> None of my googling as presented a solution
>
> Thanks

Squid is offering Negotiate/Kerberos auth and the agents are responding
with NTLM or Negotiate/NTLM.

Markus Moeller wrote a negotiate_wrapper helper that works nicely to
cope with Negotiate/NTLM responses. There is nothing we can do about the
other broken agents which return plain NTLM though.

The wrapper helper can be found at:
   http://sourceforge.net/projects/squidkerbauth/files/

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.14
   Beta testers wanted for 3.2.0.9
Received on Fri Jul 15 2011 - 02:31:09 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 15 2011 - 12:00:02 MDT