Hi,
We had the same problem, WMP just sucks ... We were using WMP 10.x on
WinXP and Kerberos-Authentication did not work. Btw, we also have the
problem with Java-Applications.
I cannot offer a solution, just a very insecure workaround ... WMP will
be authenticated by it's User-Agent, which can easily be spoofed.
Functionality over security, which makes me very unhappy, but I have no
other choice ...
regards,
Peter
On 15/08/11 21:01, Joćo Carlos Dias wrote:
> We are trying use squid with kerberos and basic authentication, but
> we've been getting some trouble authenticating Windows Media Player.
>
> Our enviroment:
> Proxy server SO: Red Hat Enterprise Linux Server release 6.0
> KDC SO: Windows Server 2008 R2
> SQUID: 3.1.4
> CLIENTS SO: Windows XP SP3 and Windows VISTA (both with WMP 11)
>
> We followed this guide:
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos and
> create, in the KDC, the user "squid" and your keytab file.
>
> Main files and configurations bellow:
> ########### krb5.conf ####################
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
> default_realm = MYDOMAIN
> dns_lookup_realm = true
> dns_lookup_kdc = true
> default_keytab_name = /etc/squid/squid-proxy.keytab
> ticket_lifetime = 24h
> forwardable = yes
> ; for Windows 2008 with AES
> default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
> default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
> permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> [realms]
> DOMAIN = {
> kdc = KDC_NAME.MYDOMAIN
> admin_server = KDC_NAME.MYDOMAIN
> default_domain = MYDOMAIN
> }
> [domain_realm]
> .mydomain = MYDOMAIN
> mydomain = MYDOMAIN
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> ########## squid.conf ####################
> # KERBEROS Authentication
> auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -s
> HTTP/myproxyname.mydomain_at_MYDOMAIN
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> # Basic Authentication
> auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "<my
> basedn>" -D"<my binddn>" -w<password> -f "sAMAccountName=%s"<KDC
> IP>
> auth_param basic children 10
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> #
> # Recommended minimum configuration:
> #
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl localhost src ::1/128
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl to_localhost dst ::1/128
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl autentica_user-proxyauth proxy_auth REQUIRED
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow autentica_user-proxyauth
> http_access deny all
> hierarchy_stoplist cgi-bin ?
> cache_mem 50 MB
> maximum_object_size 51200 KB
> coredump_dir /var/spool/squid
> debug_options 28,9 29,9
> cache_store_log none
> error_directory /usr/share/squid/errors/pt-br
> hierarchy_stoplist cgi-bin ?
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> quick_abort_min -1 KB
>
> ############ SPN's in keytab file ####################
> KVNO Timestamp Principal
> ---- ----------------- --------------------------------------------------------
> 3 12/31/69 21:00:00 HTTP/myproxyname.mydomain_at_MYDOMAIN (DES cbc
> mode with CRC-32)
> 3 12/31/69 21:00:00 HTTP/myproxyname.mydomain_at_MYDOMAIN (DES cbc
> mode with RSA-MD5)
> 3 12/31/69 21:00:00 HTTP/myproxyname.mydomain_at_MYDOMAIN (ArcFour
> with HMAC/md5)
> 3 12/31/69 21:00:00 HTTP/myproxyname.mydomain_at_MYDOMAIN (AES-256 CTS
> mode with 96-bit SHA-1 HMAC)
> 3 12/31/69 21:00:00 HTTP/myproxyname.mydomain_at_MYDOMAIN (AES-128 CTS
> mode with 96-bit SHA-1 HMAC)
>
> The problem:
>
> Sites with WMP embedded don't open the media requests (audio or video)
> and keep poping up requests for user and password.
> Tests and verifications already made:
> The first tcpdump showed us that when the client (wmp) did the TGS-REQ
> to the KDC the SPN was host/myproxyname.mydomain which KDC responded
> (TGS-REP) with the error "KRB_S_PRINCIPAL_UNKNOWN".
> Indeed, we didn't created a SPN host/myproxyname.mydomain in the squid
> account user, the only SPN we had was HTTP/myproxyname.mydomain. So,
> our first action was add in the squid account user and the keytab
> file, the SPN host/myproxyname.mydomain but it didn't work.
> So, our second action was to create, in the KDC, a machine account
> called "myproxyname" and put there the SPN host/myproxyname.mydomain.
> The error "KRB_S_PRINCIPAL_UNKNOWN" didn't occur anymore, as confirmed
> by tcpdump, but still WMP continued requesting for user and password.
> At this point we saw that when WMP couldn't authenticate via kerberos,
> it fellback into NTLM, but we couldn't find kerbero errors in the
> tcpdump.
>
> So, the question is: Why fallback to NTLM if only exists
> Negotiate/Kerberos and Basic authentications?
> The Real Media Player works fine, it falls back to Basic authentication.
>
> Has anyone else faced this problem?
>
> The strangest thing was that even when we enable NTLM authentication
> below the Negotiate lines, the WMP requests continued to be treated by
> program squid_kerb_auth, thus, they never authenticated via NTLM
> program.
>
> Please, any help or idea how solve this problem?
>
> Thanks in advance.
>
> Some links already visited:
> http://blogs.technet.com/b/askds/archive/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-2.aspx
> http://technet.microsoft.com/en-us/library/cc749438(WS.10).aspx
>
Received on Mon Aug 15 2011 - 19:18:15 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 16 2011 - 12:00:02 MDT