[squid-users] Re: Kerberos with LDAP authentication failover and iTunes auth problems

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Fri, 23 Dec 2011 12:31:19 -0000

Hi Amos

"Amos Jeffries" <squid3_at_treenet.co.nz> wrote in message
> On 23/12/2011 12:39 p.m., James Robertson wrote:
>> We have successfully deployed a squid3 proxy in a Windows AD domain
>> that authenticates users with the kerberos helper and uses LDAP
>> queries to allow access based on Security groups in AD. This works
>> perfectly for IE, FF and Chrome and no authentication pop-ups occur.
>> We realised that not all applications use this authentication and that
>> sometimes non-domain PC's might need internet access so LDAP was to be
>> used as a backup authentication method.
> Please get this straight: LDAP is *not* an authentication method.
> It is one of several interfaces to AD. There are several real
> authentication methods which operate very differently and all use LDAP to
> contact AD.
>> I tested using a non-domain user on a Win7 workstation and when
>> opening IE it prompts for a login as I had expected but I notice that
>> I have to input the username and password a second time before it will
>> allow access. I also notice when this happens that the second
>> authentication dialogue automatically adds the domain prefix, i.e.
>> DOMAIN\user and the password is already entered. Looking at the logs
>> it seems as though this second attempt is in fact the kerberos auth
>> not LDAP as I had initially thought, this is what's logged in
>> /var/cache/squid3/cache.log whilst this takes place (long lines have
>> been truncated).
> Looking ahead I see you actually mean "Basic authentication" where you
> have written "LDAP".
>> 2011/12/23 10:25:13| squid_kerb_auth: DEBUG: Got 'YR
>> (length: 59).
>> 2011/12/23 10:25:13| squid_kerb_auth: DEBUG: Decode
>> length: 40).
>> 2011/12/23 10:25:13| squid_kerb_auth: WARNING: received type 1 NTLM token
> This NTLM version 1 authentication being sent by IE (real name:
> Negotiate/NTLM) instead of Kerberos (real name: Negotiate/Kerberos).

The type 1 refers to the NTLM message type not the NTLM version. So this can
be a valid start of an NTLMv2 exchange wrapped into SPNEGO and send with
Negotiate (as you say as Negotiate/NTLM).

> So, what is actually happening is that IE is attempting to login with
> NTLM. Squid helper is rejecting that old protocol, then IE is re-trying
> with Negotiate/Kerberos like it should have to start with.
> To avoid this upgrade IE to at least IE7 and check the machines
> authentication security level is set to a minimum of NTLMv2, with working
> kerberos tokens (current IE7 will try those first if they are okay).
> (I'm sorry I can't be more specific and point at how-tos' but it has been
> a very long time since I had to deal with the inner config details of
> Windows. Hopefully someone else can provide that.)
>> Besides that we also have a problem with iTunes access. When iTunes
>> runs it prompts for authentication regardless of whether the user is
>> logged in to the domain or not and fails to authenticate regardless of
>> entering the login multiple times. The following is logged in
>> /var/log/squid3/cache.log.
>> 2011/12/23 10:03:13| squid_kerb_auth: DEBUG: Got 'YR
>> (length: 59).
>> 2011/12/23 10:03:13| squid_kerb_auth: DEBUG: Decode
>> length: 40).
>> 2011/12/23 10:03:13| squid_kerb_auth: WARNING: received type 1 NTLM token
>> 2011/12/23 10:03:13| authenticateNegotiateHandleReply: Error
>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>> token'
>> The squid.conf is listed below. Am I mistaken about the
>> authentication failing over to LDAP if kerberos fails - if so, is
>> there a way to make this work for computers/software that cannot do
>> kerberos besides white listing domains??
> If updating IE and the system security level config to NTLMv2+ does not
> fix this you can use Marcus negotiate_wrapper helper and configure Squid
> to accept both Negotiate/Kerberos and Negotiate/NTLM.
>> I'm also a bit unsure about my http_access lines, hence you will see
>> some commented out from some testing I am doing.
>> ### /etc/squid3/squid.conf Configuration File #######
>> ### cache manager
>> cache_mgr cacheadmin_at_example.com
>> ### kerberos authentication
>> auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -s
>> HTTP/squidproxy.example.local
>> auth_param negotiate children 10
>> auth_param negotiate keep_alive on
>> ### provide access via ldap for clients not authenticated via kerberos
>> auth_param basic program /usr/lib/squid3/squid_ldap_auth -R \
>> -b "dc=example,dc=local" \
>> -D squid_at_example.local \
>> -W /etc/squid3/ldappass.txt \
>> -f sAMAccountName=%s \
>> -h domaincontroller.example.local
>> auth_param basic children 10
>> auth_param basic realm Internet Proxy
>> auth_param basic credentialsttl 1 minute
> Here we have some confusion, which is why I stress being clear on LDAP.
> You have *Basic* authentication over LDAP, and several external helper
> group lookups over LDAP (no even autentication at all). Any one of which
> might trigger a popup under the right conditions.
> Your discovery that the second popup is Kerberos instead of NTLM is a good
> sign that the negotiate_wrapper will work well for you.

The best is to configure Negotiate with the wrapper to cover Negotiate/NTLM
and Negotiate/Kerberos and NTLM as "pure" NTLM for applications/clients
which do not support Negotiate but NTLM ( like some chat tools).

> Amos

Received on Fri Dec 23 2011 - 12:37:52 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 28 2011 - 12:00:03 MST