Hi Paul,
Does your environment provide WINS server details via DHCP to the desktops
? I think in theory it should work as follows:
1) User connects to proxy which requests negotiate
2) The browser does not have any tickets and has not joined a domain to
use NTLM so prompts the user
3) The user provides user@DOMAIN and password
4) Desktop tries to find Kerberos kdc locally using NetBIOS or with WINS
5) Desktop will send AS-REQ to kdc
6) Desktop will send TGS-REQ to kdc
7) Browser will send token to squid.
This would mean that Firefox does have a problem at step 4) and creates
an NTLM token for DESKTOP\User
Markus
"Paul Freeman" <paul.freeman@xxxxxxxxxx> wrote in message
news:19672EECFB9AE340833C84F3E90B595604014268@xxxxxxxxxxxxxxxxxxxxxx
Markus
I will try and answer your questions in-line below. Please let me know if
there is any other information or testing you would like me to do.
I appreciate your assistance.
Regards
Paul
-----Original Message-----
From: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx]
Sent: Wednesday, 8 September 2010 4:54 AM
To: squid-users@xxxxxxxxxxxxxxx
Subject: Re: Squid 3.0 STABLE 19 and SPNEGO with Windows
Firefox 3.6.3
Hi Paul,
>"Paul Freeman" <paul.freeman@xxxxxxxxxx> wrote in message
>news:19672EECFB9AE340833C84F3E90B595604014244@xxxxxxxxxxxxxxxxxxxxxx
>Hi
>I am running Squid 3.0STABLE19 on Ubuntu 10.04LTS as a "normal"
>(non-transparent) proxy server for a number of Windows workstations in
an
>Active Directory environment using W2K8R2 domain controller servers
running
>in W2K3 functional mode.
>
>I have implemented suthenitcation in Squid using the squid_kerb_auth
module
>from Markus Moeller. Authentication is working fine for users logging
in
>using domain credentials on domain registered workstations using both
IE7
>and
>8 on Windows XP and Firefox 3.6.3.
>
>However, I would like to allow the occasional non-domain user to have
>internet access via Squid and so it would be helpful for a login
dialog box
>to be presented. When IE 7 and 8 are used, this occurs and
authentication
>is
>successful. However, with Firefox it does not and an error is
returned by
>Squid - Access Denied.
>
>Looking at some packet dumps between the Windows workstation and Squid
>shows
>that Firefox tries a few times to auth then gives up. Enabling
logging in
>Firefox reveals Firefox responds similarly to IE with a GET request
with a
>Proxy-Authorization: Negotiate ..... header. In the Squid cache log
it
>indicates:
>
>squid_kerb_auth: Got 'YR T1RMT...AAAADw==' from squid (length 59).
>squid_kerb_auth: received type 1 NTLM token
>
>However, unlike IE, it then gives up whereas IE then initiates a KRB5
>AS-REQ
>to a domain controller then gets a ticket and then contacts Squid
again at
>which point it authenticates.
>
I would like to know some more details here. Do you also see a KRB5
AS-REQ
at any time before ? Can you use kerbtray from MS and list Kerberos
tickets
for the non domain user ?
I have watched the traffic from prior to launching Firefox to the end of the
Firefox session. I have not seen any Kerberos related traffic from the
Windows client.
I have the MS Kerberos tools installed and kerbtray does not show any
tickets
- Client Principal field says "No network credentials".
Strangely (maybe not???), there are also no tickets shown even while
successfully using IE as a non-domain user.
>In the Firefox log, just before the GET request, it shows:
>
>service = fqdn.of.squid.proxy
>using negotiate-sspi
>using SPN of [HTTP/fqdn.of.squid.proxy]]
>AcquireCredentailsHandle() succeeded
>nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate]
>entering nsAuthSSPI::GetNextToken()
>InitializeSecurityContext: continue
>Sending a token of length 40
>
>Then after sending the GET request and receiving the Squid 407
response it
>shows:
>nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() [challenge=Negotiate]
>entering nsAuthSSPI::GetNextToken()
>Cannot restart authentication sequence!
>
Does Firefox work after you used IE ? e.g. does IE cache credentials
which
can be used by Firefox ?
Firefox does not work after using IE or even while IE is still running as a
non-domain user.
Do you see any Kerberos traffic ? Do you see DNS SRV requests to
determine
the kdc ?
I have not seen any Kerberos related traffic or DNS SRV requests on the
client when Firefox is running.
>Does Firefox not like the Squid HTTP1.0 Proxy-Connection: close
response in
>response to its HTTP1.1 Proxy-Connection: keep-alive GET request?
>
>I am puzzled as to whether Squid, Firefox or IE is behaving as one
would
>expect given the scenario?
>
>Does anyone have any ideas?
>
>If Squid and Firefox are behaving correctly but IE is doing a
workaround
>then
>that is OK and I will need to live with the situation.
>
>I am happy to perform additional debug work to investigate the problem
>further.
>
>I have tried various settings in the Firefox about:config -
>network.negotiate-auth.trusted-uris configuration item, and other
similar
>related settings mentioned in other posts but without success.
>
>Reading some Mozilla Dev postings over the last 12 months or so
indicate
>there have been some issues with NTLM and Kerberos in various versions
of
>Firefox but I think these have been addressed.
>
>Thanks in advance
>
>Paul Freeman
>
>
>__________ Information from ESET Smart Security, version of virus
signature
>database 5429 (20100906) __________
>
>The message was checked by ESET Smart Security.
>
>http://www.eset.com
>
Markus
__________ Information from ESET Smart Security, version of virus
signature database 5429 (20100906) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature
database 5429 (20100906) __________
The message was checked by ESET Smart Security.
http://www.eset.com
