This looks like the client does not get a Kerberos token, which can have
several reasons.
1) Is the proxy name used in the browser the fqdn used in the
serviceprincipaname in AD e.g. HTTP/<fqdn> ?
2) Is the right encryption type used (Win7 / 2008 do not support DES out
of the box)
Can you capture with wireshark the communication between your Win7 client
and AD on port 88 ( Kerberos port ) and send me the capture file ?
Regards
Markus
"Ming Fu" <Ming.Fu_at_watchguard.com> wrote in message
news:09177155B3E82945AD8AF1F744B326458A7E1581_at_es05co...
Hi,
I am trying to setup squid 3.1.14 on linux with Kerberos SSO against windows
2008 server and win7 client.
But both firefox 5.0.1 and IE 8 generate same log from squid.
Is this a problem with squid or the browsers?
---- squid logs ----
2011/07/25 10:54:29| Accepting HTTP connections at [::]:3128, FD 31.
2011/07/25 10:54:29| HTCP Disabled.
2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5
2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5
2011/07/25 10:54:29| Loaded Icons.
2011/07/25 10:54:29| Ready to serve requests.
2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded length:
40).
2011/07/25 10:55:40| squid_kerb_auth: WARNING: received type 1 NTLM token
2011/07/25 10:55:40| authenticateNegotiateHandleReply: Error validating user
via Negotiate. Error returned 'BH received type 1 NTLM token'
--- HTTP exchange Firefox to squid -----
GET http://www.google.ca/ HTTP/1.1
Host: www.google.ca
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101
Firefox/5.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://www.google.ca/
Cookie:
PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=1311350546:S=CwtXJNRFT1U2j2O8;
NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HPrqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7
HTTP/1.0 407 Proxy Authentication Required
Server: squid/3.1.14
Mime-Version: 1.0
Date: Mon, 25 Jul 2011 15:38:05 GMT
Content-Type: text/html
Content-Length: 3945
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en-us
Proxy-Authenticate: Negotiate
X-Cache: MISS from squid.sit26.borderware.com
Via: 1.0 squid.sit26.borderware.com (squid/3.1.14)
Connection: keep-alive
GET http://www.google.ca/ HTTP/1.1
Host: www.google.ca
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101
Firefox/5.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://www.google.ca/
Cookie:
PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=1311350546:S=CwtXJNRFT1U2j2O8;
NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HPrqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7
Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
Regards,
Ming
Received on Mon Jul 25 2011 - 20:27:13 MDT
This archive was generated by hypermail 2.2.0 : Thu Jul 28 2011 - 12:00:03 MDT