Re: [squid-users] Kerberos with LDAP authentication failover and iTunes auth problems

From: Amos Jeffries <>
Date: Fri, 23 Dec 2011 15:13:10 +1300

On 23/12/2011 12:39 p.m., James Robertson wrote:
> We have successfully deployed a squid3 proxy in a Windows AD domain
> that authenticates users with the kerberos helper and uses LDAP
> queries to allow access based on Security groups in AD. This works
> perfectly for IE, FF and Chrome and no authentication pop-ups occur.
> We realised that not all applications use this authentication and that
> sometimes non-domain PC's might need internet access so LDAP was to be
> used as a backup authentication method.

Please get this straight: LDAP is *not* an authentication method.
It is one of several interfaces to AD. There are several real
authentication methods which operate very differently and all use LDAP
to contact AD.

> I tested using a non-domain user on a Win7 workstation and when
> opening IE it prompts for a login as I had expected but I notice that
> I have to input the username and password a second time before it will
> allow access. I also notice when this happens that the second
> authentication dialogue automatically adds the domain prefix, i.e.
> DOMAIN\user and the password is already entered. Looking at the logs
> it seems as though this second attempt is in fact the kerberos auth
> not LDAP as I had initially thought, this is what's logged in
> /var/cache/squid3/cache.log whilst this takes place (long lines have
> been truncated).

Looking ahead I see you actually mean "Basic authentication" where you
have written "LDAP".

> 2011/12/23 10:25:13| squid_kerb_auth: DEBUG: Got 'YR
> (length: 59).
> 2011/12/23 10:25:13| squid_kerb_auth: DEBUG: Decode
> length: 40).
> 2011/12/23 10:25:13| squid_kerb_auth: WARNING: received type 1 NTLM token

This NTLM version 1 authentication being sent by IE (real name:
Negotiate/NTLM) instead of Kerberos (real name: Negotiate/Kerberos).

So, what is actually happening is that IE is attempting to login with
NTLM. Squid helper is rejecting that old protocol, then IE is re-trying
with Negotiate/Kerberos like it should have to start with.

To avoid this upgrade IE to at least IE7 and check the machines
authentication security level is set to a minimum of NTLMv2, with
working kerberos tokens (current IE7 will try those first if they are okay).

(I'm sorry I can't be more specific and point at how-tos' but it has
been a very long time since I had to deal with the inner config details
of Windows. Hopefully someone else can provide that.)

> Besides that we also have a problem with iTunes access. When iTunes
> runs it prompts for authentication regardless of whether the user is
> logged in to the domain or not and fails to authenticate regardless of
> entering the login multiple times. The following is logged in
> /var/log/squid3/cache.log.
> 2011/12/23 10:03:13| squid_kerb_auth: DEBUG: Got 'YR
> (length: 59).
> 2011/12/23 10:03:13| squid_kerb_auth: DEBUG: Decode
> length: 40).
> 2011/12/23 10:03:13| squid_kerb_auth: WARNING: received type 1 NTLM token
> 2011/12/23 10:03:13| authenticateNegotiateHandleReply: Error
> validating user via Negotiate. Error returned 'BH received type 1 NTLM
> token'
> The squid.conf is listed below. Am I mistaken about the
> authentication failing over to LDAP if kerberos fails - if so, is
> there a way to make this work for computers/software that cannot do
> kerberos besides white listing domains??

If updating IE and the system security level config to NTLMv2+ does not
fix this you can use Marcus negotiate_wrapper helper and configure Squid
to accept both Negotiate/Kerberos and Negotiate/NTLM.

> I'm also a bit unsure about my http_access lines, hence you will see
> some commented out from some testing I am doing.
> ### /etc/squid3/squid.conf Configuration File #######
> ### cache manager
> cache_mgr
> ### kerberos authentication
> auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -s
> HTTP/squidproxy.example.local
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> ### provide access via ldap for clients not authenticated via kerberos
> auth_param basic program /usr/lib/squid3/squid_ldap_auth -R \
> -b "dc=example,dc=local" \
> -D squid_at_example.local \
> -W /etc/squid3/ldappass.txt \
> -f sAMAccountName=%s \
> -h domaincontroller.example.local
> auth_param basic children 10
> auth_param basic realm Internet Proxy
> auth_param basic credentialsttl 1 minute

Here we have some confusion, which is why I stress being clear on LDAP.
You have *Basic* authentication over LDAP, and several external helper
group lookups over LDAP (no even autentication at all). Any one of which
might trigger a popup under the right conditions.

Your discovery that the second popup is Kerberos instead of NTLM is a
good sign that the negotiate_wrapper will work well for you.

Received on Fri Dec 23 2011 - 02:13:18 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 23 2011 - 12:00:03 MST