Hi Paul,
"Paul Freeman" <paul.freeman@xxxxxxxxxx> wrote in message
news:19672EECFB9AE340833C84F3E90B595604014244@xxxxxxxxxxxxxxxxxxxxxx
Hi
I am running Squid 3.0STABLE19 on Ubuntu 10.04LTS as a "normal"
(non-transparent) proxy server for a number of Windows workstations in an
Active Directory environment using W2K8R2 domain controller servers running
in W2K3 functional mode.
I have implemented suthenitcation in Squid using the squid_kerb_auth module
from Markus Moeller. Authentication is working fine for users logging in
using domain credentials on domain registered workstations using both IE7
and
8 on Windows XP and Firefox 3.6.3.
However, I would like to allow the occasional non-domain user to have
internet access via Squid and so it would be helpful for a login dialog box
to be presented. When IE 7 and 8 are used, this occurs and authentication
is
successful. However, with Firefox it does not and an error is returned by
Squid - Access Denied.
Looking at some packet dumps between the Windows workstation and Squid
shows
that Firefox tries a few times to auth then gives up. Enabling logging in
Firefox reveals Firefox responds similarly to IE with a GET request with a
Proxy-Authorization: Negotiate ..... header. In the Squid cache log it
indicates:
squid_kerb_auth: Got 'YR T1RMT...AAAADw==' from squid (length 59).
squid_kerb_auth: received type 1 NTLM token
However, unlike IE, it then gives up whereas IE then initiates a KRB5
AS-REQ
to a domain controller then gets a ticket and then contacts Squid again at
which point it authenticates.
I would like to know some more details here. Do you also see a KRB5 AS-REQ
at any time before ? Can you use kerbtray from MS and list Kerberos tickets
for the non domain user ?
In the Firefox log, just before the GET request, it shows:
service = fqdn.of.squid.proxy
using negotiate-sspi
using SPN of [HTTP/fqdn.of.squid.proxy]]
AcquireCredentailsHandle() succeeded
nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate]
entering nsAuthSSPI::GetNextToken()
InitializeSecurityContext: continue
Sending a token of length 40
Then after sending the GET request and receiving the Squid 407 response it
shows:
nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate]
entering nsAuthSSPI::GetNextToken()
Cannot restart authentication sequence!
Does Firefox work after you used IE ? e.g. does IE cache credentials which
can be used by Firefox ?
Do you see any Kerberos traffic ? Do you see DNS SRV requests to determine
the kdc ?
Does Firefox not like the Squid HTTP1.0 Proxy-Connection: close response in
response to its HTTP1.1 Proxy-Connection: keep-alive GET request?
I am puzzled as to whether Squid, Firefox or IE is behaving as one would
expect given the scenario?
Does anyone have any ideas?
If Squid and Firefox are behaving correctly but IE is doing a workaround
then
that is OK and I will need to live with the situation.
I am happy to perform additional debug work to investigate the problem
further.
I have tried various settings in the Firefox about:config -
network.negotiate-auth.trusted-uris configuration item, and other similar
related settings mentioned in other posts but without success.
Reading some Mozilla Dev postings over the last 12 months or so indicate
there have been some issues with NTLM and Kerberos in various versions of
Firefox but I think these have been addressed.
Thanks in advance
Paul Freeman
__________ Information from ESET Smart Security, version of virus signature
database 5429 (20100906) __________
The message was checked by ESET Smart Security.
http://www.eset.com
Markus
