[squid-users] Re: Re: squid 3.1.14 kerberos single sign on

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Thu, 28 Jul 2011 20:05:40 +0100

Hi Ming,

  The setspn detail look correct, but the client gets obviously a reply from
AD that the principal does not exits (KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) .
  Is there anywhere a space or a typo ?

Markus

"Ming Fu" <Ming.Fu_at_watchguard.com> wrote in message
news:09177155B3E82945AD8AF1F744B326458A7E55C8_at_es05co...
Hi Markus,

From the windows domain controller:
=======================================================
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\Administrator>setspn -L squid
Registered ServicePrincipalNames for
CN=squid,CN=Users,DC=sit26,DC=borderware,DC
=com:
        HTTP/squid.sit26.borderware.com

C:\Users\Administrator>
=========================================================

From the wireshark:
==============================================================
The Kerberos response error is
Error code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: SIT26.BORDERWARE.COM
Server Name (Service and Instance): HTTP/squid.sit26.borderware.com
   Name-type: service and instance (2)
   Name: HTTP
   Name: squid.sit26.borderware.com
===============================================================

I can attach the whole tcpdump if necessary.

Regards,
Ming

> -----Original Message-----
> From: Markus Moeller [mailto:huaraz_at_moeller.plus.com]
> Sent: Monday, July 25, 2011 4:27 PM
> To: squid-users_at_squid-cache.org
> Subject: [squid-users] Re: squid 3.1.14 kerberos single sign on
>
> This looks like the client does not get a Kerberos token, which can have
> several reasons.
>
> 1) Is the proxy name used in the browser the fqdn used in the
> serviceprincipaname in AD e.g. HTTP/<fqdn> ?
> 2) Is the right encryption type used (Win7 / 2008 do not support DES
> out
> of the box)
>
> Can you capture with wireshark the communication between your Win7
> client
> and AD on port 88 ( Kerberos port ) and send me the capture file ?
>
> Regards
> Markus
>
>
> "Ming Fu" <Ming.Fu_at_watchguard.com> wrote in message
> news:09177155B3E82945AD8AF1F744B326458A7E1581_at_es05co...
> Hi,
>
> I am trying to setup squid 3.1.14 on linux with Kerberos SSO against
> windows
> 2008 server and win7 client.
> But both firefox 5.0.1 and IE 8 generate same log from squid.
>
> Is this a problem with squid or the browsers?
>
> ---- squid logs ----
> 2011/07/25 10:54:29| Accepting HTTP connections at [::]:3128, FD 31.
> 2011/07/25 10:54:29| HTCP Disabled.
> 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5
> 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5
> 2011/07/25 10:54:29| Loaded Icons.
> 2011/07/25 10:54:29| Ready to serve requests.
> 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Got 'YR
> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
> (length: 59).
> 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Decode
> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
> length:
> 40).
> 2011/07/25 10:55:40| squid_kerb_auth: WARNING: received type 1 NTLM
> token
> 2011/07/25 10:55:40| authenticateNegotiateHandleReply: Error validating
> user
> via Negotiate. Error returned 'BH received type 1 NTLM token'
>
>
> --- HTTP exchange Firefox to squid -----
> GET http://www.google.ca/ HTTP/1.1
> Host: www.google.ca
> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101
> Firefox/5.0.1
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip, deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Proxy-Connection: keep-alive
> Referer: http://www.google.ca/
> Cookie:
> PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=131135
> 0546:S=CwtXJNRFT1U2j2O8;
> NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HP
> rqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7
>
> HTTP/1.0 407 Proxy Authentication Required
> Server: squid/3.1.14
> Mime-Version: 1.0
> Date: Mon, 25 Jul 2011 15:38:05 GMT
> Content-Type: text/html
> Content-Length: 3945
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> Vary: Accept-Language
> Content-Language: en-us
> Proxy-Authenticate: Negotiate
> X-Cache: MISS from squid.sit26.borderware.com
> Via: 1.0 squid.sit26.borderware.com (squid/3.1.14)
> Connection: keep-alive
>
> GET http://www.google.ca/ HTTP/1.1
> Host: www.google.ca
> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101
> Firefox/5.0.1
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip, deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Proxy-Connection: keep-alive
> Referer: http://www.google.ca/
> Cookie:
> PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=131135
> 0546:S=CwtXJNRFT1U2j2O8;
> NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HP
> rqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7
> Proxy-Authorization: Negotiate
> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
>
>
> Regards,
> Ming
>
Received on Thu Jul 28 2011 - 19:06:09 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 29 2011 - 12:00:02 MDT