Markus I will try and answer your questions in-line below. Please let me know if there is any other information or testing you would like me to do. I appreciate your assistance. Regards Paul > -----Original Message----- > From: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx] > Sent: Wednesday, 8 September 2010 4:54 AM > To: squid-users@xxxxxxxxxxxxxxx > Subject: Re: Squid 3.0 STABLE 19 and SPNEGO with Windows > Firefox 3.6.3 > > Hi Paul, > > >"Paul Freeman" <paul.freeman@xxxxxxxxxx> wrote in message > >news:19672EECFB9AE340833C84F3E90B595604014244@xxxxxxxxxxxxxxxxxxxxxx > >Hi > >I am running Squid 3.0STABLE19 on Ubuntu 10.04LTS as a "normal" > >(non-transparent) proxy server for a number of Windows workstations in > an > >Active Directory environment using W2K8R2 domain controller servers > running > >in W2K3 functional mode. > > > >I have implemented suthenitcation in Squid using the squid_kerb_auth > module > >from Markus Moeller. Authentication is working fine for users logging > in > >using domain credentials on domain registered workstations using both > IE7 > >and > >8 on Windows XP and Firefox 3.6.3. > > > >However, I would like to allow the occasional non-domain user to have > >internet access via Squid and so it would be helpful for a login > dialog box > >to be presented. When IE 7 and 8 are used, this occurs and > authentication > >is > >successful. However, with Firefox it does not and an error is > returned by > >Squid - Access Denied. > > > >Looking at some packet dumps between the Windows workstation and Squid > >shows > >that Firefox tries a few times to auth then gives up. Enabling > logging in > >Firefox reveals Firefox responds similarly to IE with a GET request > with a > >Proxy-Authorization: Negotiate ..... header. In the Squid cache log > it > >indicates: > > > >squid_kerb_auth: Got 'YR T1RMT...AAAADw==' from squid (length 59). > >squid_kerb_auth: received type 1 NTLM token > > > >However, unlike IE, it then gives up whereas IE then initiates a KRB5 > >AS-REQ > >to a domain controller then gets a ticket and then contacts Squid > again at > >which point it authenticates. > > > > I would like to know some more details here. Do you also see a KRB5 > AS-REQ > at any time before ? Can you use kerbtray from MS and list Kerberos > tickets > for the non domain user ? > I have watched the traffic from prior to launching Firefox to the end of the Firefox session. I have not seen any Kerberos related traffic from the Windows client. I have the MS Kerberos tools installed and kerbtray does not show any tickets - Client Principal field says "No network credentials". Strangely (maybe not???), there are also no tickets shown even while successfully using IE as a non-domain user. > > >In the Firefox log, just before the GET request, it shows: > > > >service = fqdn.of.squid.proxy > >using negotiate-sspi > >using SPN of [HTTP/fqdn.of.squid.proxy]] > >AcquireCredentailsHandle() succeeded > >nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate] > >entering nsAuthSSPI::GetNextToken() > >InitializeSecurityContext: continue > >Sending a token of length 40 > > > >Then after sending the GET request and receiving the Squid 407 > response it > >shows: > >nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate] > >entering nsAuthSSPI::GetNextToken() > >Cannot restart authentication sequence! > > > > Does Firefox work after you used IE ? e.g. does IE cache credentials > which > can be used by Firefox ? > Firefox does not work after using IE or even while IE is still running as a non-domain user. > Do you see any Kerberos traffic ? Do you see DNS SRV requests to > determine > the kdc ? > I have not seen any Kerberos related traffic or DNS SRV requests on the client when Firefox is running. > > >Does Firefox not like the Squid HTTP1.0 Proxy-Connection: close > response in > >response to its HTTP1.1 Proxy-Connection: keep-alive GET request? > > > >I am puzzled as to whether Squid, Firefox or IE is behaving as one > would > >expect given the scenario? > > > >Does anyone have any ideas? > > > >If Squid and Firefox are behaving correctly but IE is doing a > workaround > >then > >that is OK and I will need to live with the situation. > > > >I am happy to perform additional debug work to investigate the problem > >further. > > > >I have tried various settings in the Firefox about:config - > >network.negotiate-auth.trusted-uris configuration item, and other > similar > >related settings mentioned in other posts but without success. > > > >Reading some Mozilla Dev postings over the last 12 months or so > indicate > >there have been some issues with NTLM and Kerberos in various versions > of > >Firefox but I think these have been addressed. > > > >Thanks in advance > > > >Paul Freeman > > > > > >__________ Information from ESET Smart Security, version of virus > signature > >database 5429 (20100906) __________ > > > >The message was checked by ESET Smart Security. > > > >http://www.eset.com > > > > Markus > > > > > __________ Information from ESET Smart Security, version of virus > signature database 5429 (20100906) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com > __________ Information from ESET Smart Security, version of virus signature database 5429 (20100906) __________ The message was checked by ESET Smart Security. http://www.eset.com
