Search squid archive

Re: Re: Squid 3.0 STABLE 19 and SPNEGO with Windows Firefox 3.6.3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Hi Paul,

Does your environment provide WINS server details via DHCP to the desktops ? I think in theory it should work as follows:

 1) User connects to proxy which requests negotiate
2) The browser does not have any tickets and has not joined a domain to use NTLM so prompts the user
 3) The user provides user@DOMAIN and password
 4) Desktop tries to find Kerberos kdc locally using NetBIOS or with WINS
 5) Desktop will send AS-REQ to kdc
 6) Desktop will send TGS-REQ to kdc
 7) Browser will send token to squid.

This would mean that Firefox does have a problem at step 4) and creates an NTLM token for DESKTOP\User

Markus

"Paul Freeman" <paul.freeman@xxxxxxxxxx> wrote in message news:19672EECFB9AE340833C84F3E90B595604014268@xxxxxxxxxxxxxxxxxxxxxx
Markus
I will try and answer your questions in-line below.  Please let me know if
there is any other information or testing you would like me to do.

I appreciate your assistance.

Regards

Paul

-----Original Message-----
From: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx]
Sent: Wednesday, 8 September 2010 4:54 AM
To: squid-users@xxxxxxxxxxxxxxx
Subject:  Re: Squid 3.0 STABLE 19 and SPNEGO with Windows
Firefox 3.6.3

Hi Paul,

>"Paul Freeman" <paul.freeman@xxxxxxxxxx> wrote in message
>news:19672EECFB9AE340833C84F3E90B595604014244@xxxxxxxxxxxxxxxxxxxxxx
>Hi
>I am running Squid 3.0STABLE19 on Ubuntu 10.04LTS as a "normal"
>(non-transparent) proxy server for a number of Windows workstations in
an
>Active Directory environment using W2K8R2 domain controller servers
running
>in W2K3 functional mode.
>
>I have implemented suthenitcation in Squid using the squid_kerb_auth
module
>from Markus Moeller.  Authentication is working fine for users logging
in
>using domain credentials on domain registered workstations using both
IE7
>and
>8 on Windows XP and Firefox 3.6.3.
>
>However, I would like to allow the occasional non-domain user to have
>internet access via Squid and so it would be helpful for a login
dialog box
>to be presented.  When IE 7 and 8 are used, this occurs and
authentication
>is
>successful.  However, with Firefox it does not and an error is
returned by
>Squid - Access Denied.
>
>Looking at some packet dumps between the Windows workstation and Squid
>shows
>that Firefox tries a few times to auth then gives up.  Enabling
logging in
>Firefox reveals Firefox responds similarly to IE with a GET request
with a
>Proxy-Authorization: Negotiate ..... header.  In the Squid cache log
it
>indicates:
>
>squid_kerb_auth: Got 'YR T1RMT...AAAADw==' from squid (length 59).
>squid_kerb_auth: received type 1 NTLM token
>
>However, unlike IE, it then gives up whereas IE then initiates a KRB5
>AS-REQ
>to a domain controller then gets a ticket and then contacts Squid
again at
>which point it authenticates.
>

I would like to know some more details here.  Do you also see a KRB5
AS-REQ
at any time before ? Can you use kerbtray from MS and list Kerberos
tickets
for the non domain user ?


I have watched the traffic from prior to launching Firefox to the end of the
Firefox session.  I have not seen any Kerberos related traffic from the
Windows client.

I have the MS Kerberos tools installed and kerbtray does not show any tickets
- Client Principal field says "No network credentials".

Strangely (maybe not???), there are also no tickets shown even while
successfully using IE as a non-domain user.


>In the Firefox log, just before the GET request, it shows:
>
>service = fqdn.of.squid.proxy
>using negotiate-sspi
>using SPN of [HTTP/fqdn.of.squid.proxy]]
>AcquireCredentailsHandle() succeeded
>nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate]
>entering nsAuthSSPI::GetNextToken()
>InitializeSecurityContext: continue
>Sending a token of length 40
>
>Then after sending the GET request and receiving the Squid 407
response it
>shows:
>nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate]
>entering nsAuthSSPI::GetNextToken()
>Cannot restart authentication sequence!
>

Does Firefox work after you used IE ?  e.g. does IE cache credentials
which
can be used by Firefox ?


Firefox does not work after using IE or even while IE is still running as a
non-domain user.

Do you see any Kerberos traffic ?  Do you see DNS SRV requests to
determine
the kdc ?


I have not seen any Kerberos related traffic or DNS SRV requests on the
client when Firefox is running.


>Does Firefox not like the Squid HTTP1.0 Proxy-Connection: close
response in
>response to its HTTP1.1 Proxy-Connection: keep-alive GET request?
>
>I am puzzled as to whether Squid, Firefox or IE is behaving as one
would
>expect given the scenario?
>
>Does anyone have any ideas?
>
>If Squid and Firefox are behaving correctly but IE is doing a
workaround
>then
>that is OK and I will need to live with the situation.
>
>I am happy to perform additional debug work to investigate the problem
>further.
>
>I have tried various settings in the Firefox about:config -
>network.negotiate-auth.trusted-uris configuration item, and other
similar
>related settings mentioned in other posts but without success.
>
>Reading some Mozilla Dev postings over the last 12 months or so
indicate
>there have been some issues with NTLM and Kerberos in various versions
of
>Firefox but I think these have been addressed.
>
>Thanks in advance
>
>Paul  Freeman
>
>
>__________ Information from ESET Smart Security, version of virus
signature
>database 5429 (20100906) __________
>
>The message was checked by ESET Smart Security.
>
>http://www.eset.com
>

Markus




__________ Information from ESET Smart Security, version of virus
signature database 5429 (20100906) __________

The message was checked by ESET Smart Security.

http://www.eset.com



__________ Information from ESET Smart Security, version of virus signature
database 5429 (20100906) __________

The message was checked by ESET Smart Security.

http://www.eset.com





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux