Thanks Henrik, That was my issue with Firefox - it now authenticates just fine. I've been unable to get IE (6.0.2900.2180.xpsp_sp2_gdr.080814-1233) to authenticate. I know this isn't a squid-specific thing, but any ideas what setting in IE may be responsible for this? If not, no problem. I appreciate your rapid response on my main issue. Regards, Steve On Thu, Oct 23, 2008 at 3:03 PM, Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx> wrote: > On tor, 2008-10-23 at 14:25 -0400, Steven Cardinal wrote: >> I see no sign on my DCs of any failed authentication. A tcpdump trace >> on my workstation shows no attempts from my Windows PC to perform any >> kerberos authentication. If I try running the command line specified >> in the squid.conf, I get: > > Then your browsers do not trust the proxy with kerberos authentication. > Verify that you have configured the proxy by name and not IP in the > browser proxy settings. To be exact the proxy name needs to match both a > name that the browser trusts with Kerberos authentication AND a server > kerberos ticket (or whatever those are called, kept in the keytab, > kerberos is not a strong field of mine..) > >> I'm guessing, however, that squid_kerb_auth can't be run just like >> that, however. > > Correct. You need to speak base64 encoded GSSAPI wrapped in Microsoft > Negotiate SSP protocol format wrapped in the "Squid NTLM/Negotiate > protocol" to it.. > >> Any ideas where I should look? I set my keytab file to be >> world-readable as a test and that didn't help. > > It seems you don't even get that far.. the very first steps is not > dependent on the helper, only browser.. only when the browser agrees on > sending the initial negotiation packet is the helper called. Until then > all that happens is that Squid says that authentication is required to > continue and the Negotiate SSP authentication protocol is supported. > > Regards > Henrik >
