"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message
news:h0gs7v$mkp$1@xxxxxxxxxxxxxxxx
>
----- Original Message -----
From: "Truth Seeker" <truth_seeker_3535@xxxxxxxxx>
To: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
Cc: "Squid maillist" <squid-users@xxxxxxxxxxxxxxx>
Sent: Sunday, June 07, 2009 10:23 AM
Subject: Re: Re: Re: Re: Squid + Kerberos + Active Directory
Dear Markus,
After trying all the possible way, i got atleast just for one time a
error message in cache.log
2009/06/07 11:31:46| AuthConfig::CreateAuthUser: Unsupported or
unconfigured/inactive proxy-auth scheme, 'NTLM
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw=='
So IE or Firefox don't do negotiate.
after that i didnt got this message at all..
My Client is Win XP with IE 6 and Firefox 3.0.10. Its working really
fine behind the MS ISA Server.
But no way behind the squid???
BTW IE 6 does not support negotiate for proxy authentication if I remember
right. You need IE 7 or higher.
Because squid is configured for negotiate/kerberos. Can you do the
following
in Firefox:
1) Type about:config in the URL bar
2) In the filter type nego
3) double click on network.negotiate-auth.trusted-uris
4) Enter .panasonic.com
5) Try again
If that does not work can you run the attached binary on yoru XP desktop
as
follows:
getTGT -p HTTP/linuxproxy.panasonic.com
You should get an output like:
getTGT.exe -p HTTP/w2k3r2.win2003r2.home
2009/06/07 17:50:42| getTGT[5180]: Info: Context Key Information:
2009/06/07 17:50:42| getTGT[5180]: Signature Algorithm: (-138)
2009/06/07 17:50:42| getTGT[5180]: Encryption Algorithm: RSADSI
RC4-HMAC(23)
2009/06/07 17:50:42| getTGT[5180]: Key Size: 128
2009/06/07 17:50:42| getTGT[5180]: Info: Context Session Key Length: 16
2009/06/07 17:50:42| getTGT[5180]: Info: Context Client Native Name:
Administrator@xxxxxxxxxxxxxx
2009/06/07 17:50:42| getTGT[5180]: Info: Context Server Native Name:
HTTP/w2k3r2.win2003r2.home@xxxxxxxxxxxxxx
2009/06/07 17:50:42| getTGT[5180]: Info: Context Start Time: 2009/06/07
17:50:42
2009/06/07 17:50:42| getTGT[5180]: Info: Context End Time: 2009/06/08
03:42:29
2009/06/07 17:50:42| getTGT[5180]: Info: Credential User Principal Name:
Administrator@xxxxxxxxxxxxxx
2009/06/07 17:50:42| getTGT[5180]: Info: Credential ExpiryTime: 2009/06/08
03:42:29
and a klist tickets should give:
C:\WINNT\Profiles\Administrator.WIN2003R2.000>klist tickets
Cached Tickets: (2)
Server: krbtgt/WIN2003R2.HOME@xxxxxxxxxxxxxx
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 6/8/2009 3:42:29
Renew Time: 6/14/2009 17:42:29
Server: HTTP/w2k3r2.win2003r2.home@xxxxxxxxxxxxxx
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 6/8/2009 3:42:29
Renew Time: 6/14/2009 17:42:29
C:\WINNT\Profiles\Administrator.WIN2003R2.000>
klist is part of the resource kit tools
(http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en)
If getTGT gives an error like:
2009/06/07 17:55:10| getTGT[3640]: InitializeSecurityContext failed:
SEC_E_TARGET_UNKNOWN
it means that either the kdc does not have a principal with the name or
the
client does not have a valid user ticket which can be check ed with klist
tgt:
C:\WINNT\Profiles\Administrator.WIN2003R2.000>klist tgt
Cached TGT:
ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: Administrator
DomainName: WIN2003R2.HOME
TargetDomainName: WIN2003R2.HOME
AltTargetDomainName: WIN2003R2.HOME
TicketFlags: 0x40e00000
KeyExpirationTime: 1/1/1601 1:00:00
StartTime: 6/7/2009 17:42:29
EndTime: 6/8/2009 3:42:29
RenewUntil: 6/14/2009 17:42:29
TimeSkew: 1/1/1601 1:00:00
i captured the following types of traffic;
a. My XP Client + IE 6 <---> ISA Server
b. MY XP Client + IE 6 <---> squid-3.0.STABLE13-1.el5 + CentOS 5.2
c. more auth packet level details of Client <-> ISA Server
d. more auth packet level details of Client <-> Squid
Please see the attachments;
and hoping for a way to resolve the issue.
From all this what i understood is, client is trying to do NTLM auth,
but server dosent support it. Ok if this is the case, how can i tell the
client not to use NTLM and just use Kerberos. Second case, how can i
configure squid to handle the NTLM based authentication.
There are NTLM helpers as part of the squid package available. Or better
use
the samba ntlm_auth helper.
guide me please...
Regards
Markus
