Ah, just seem this - apologies for my post. I think I understand this and will give it a go.. On 08/04/2010 20:08, "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote: Hi Nick, Did you use samba to create the keytab. I have seen that if you use samba for more then squid (e.g. cifs, winbind, etc) it will update regularly the AD entry and key for the host/fqdn principal which is the same as for HTTP/fqdn. I usually use msktutil and create a second AD entry called <short-hostname>-HTTP to be independent of samba which usually uses <short-hostname>. Regards Markus "Nick Cairncross" <Nick.Cairncross@xxxxxxxxxxxxxxx> wrote in message news:C7E35DA9.1EB06%Nick.Cairncross@xxxxxxxxxxxxxxxxxx Bilal, I'm working on much the same thing, with added Apple Mac just to complicate things. My aim is to create an SSO environment for all my Windows, OSX and nix machines. I want to use Kerberos as my primary authentication as IE7 and FF onwards are moving that way..but for my situation some browsers or applications do not support this and I must also use NTLM. However, Opera on my Macs seems to not like either and prefers Basic.. It's been a struggle to get each element to work but not impossible. I have found that all Negotiate/Kerberos supporting browsers have worked extremely well with the helper developed by Markus. Many of the authentication breaking elements have disappeared when compared to my Blue Coat and ISA experiences. Those machines joined to the domain using browsers that support Neg/Kerb work seamlessly with Kerberos - FF and IE - and pass through credentials. Mac Safari relies on NTLM and prompts as such. Mac Opera prompts for Basic. Therefore if you're just Windows I would answer fairly confidently that your question 1 answer is Yes. Users not on the domain would be prompted for credentials. I haven't tested this and depending on which helper you are using (Samba or Squids) and whether you're joined to the domain I believe Negotiate should fall back to NTLM and work providing you supply a valid domain user/pass! So the answer to 2 would be 'depends..' :) As for the issue of not being to able to use Squid at all and taking into account what I said earlier, then yes there could be a scenario where Squid will not work for your users. However, it is less of a problem in just Windows. It's all about testing your various Windows configurations, apps and browsers until you are sure you have covered the conceivable setups of all your users. Finally, I have been struggling against an issue where my KVNO Keytab increments in AD and gets out of sync with the exported version making Squid un-useable until it's regenerated. Have you experienced this? Happy to discuss any of this off list or on. Cheers, Nick On 08/04/2010 04:06, "GIGO ." <gigoz@xxxxxxx> wrote: If i select negotiate/Kerberos as authentication protocol for my Squid on Linux and configure no FallBack Authentication.what would be the consequence ? 1. Isnt it that all of my users who have logged into Active Directory and where browser is supported will be able to use squid? 2. Only those users who will try to use squid from a workgroup giving their domain passoword (domainname/userid) will fail as there will be no fallback aviablable. 3. Is there any other scenario in which these users will not be able to use squid? I would be really thankful if you guide me further as i am failing to understand why a fallback authentication is necessary if it is. What could be the scenario when windows clients have no valid TGT even if they are login to the domain? I hope you can understand me and help me to clear my self. regards, Bilal Aslam ---------------------------------------- > To: squid-users@xxxxxxxxxxxxxxx > From: huaraz@xxxxxxxxxxxxxxxx > Date: Wed, 7 Apr 2010 20:17:20 +0100 > Subject: Re: Re: Re: SSO with Active Directory-Squid Clients > > Sorry I knew that but forgot to mention that I was talking about the Unix > version. > > Thank you > Markus > > "Guido Serassio" wrote in message > news:58FD293CE494AF419A59EF7E597FA4E64002FA@xxxxxxxxxxxxxxxxxxxxxxxxxxxx > Hi Markus, > >> If you have a Windows client and the proxy send WWW-Proxy-Authorize: >> Negotiate the Windows client will try first to get a Kerberos ticket > and >> if that succeeds sends a Negotiate response with a Kerberos token to > the >> proxy. >> If the Windows client fails to get a Kerberos ticket the client will > send >> a Negotiate response with a NTLM token to the proxy. Unfortunately > there> is yet no squid helper which can handle both a > Negotiate/Kerberos response >> and a Negotiate/NTLM response (although maybe the samba ntlm helper > can).> So there is a fallback when you use Negotiate, but it has some > caveats. > > This is not true when Squid is running on Windows: the Windows native > Negotiate Helper can handle both Negotiate/Kerberos and Negotiate/NTLM > responses. > > Regards > > > Guido Serassio > Acme Consulting S.r.l. > Microsoft Gold Certified Partner > VMware Professional Partner > Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY > Tel. : +39.011.9530135 Fax. : +39.011.9781115 > Email: guido.serassio@xxxxxxxxxxxxxxxxx > WWW: http://www.acmeconsulting.it > > ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900