Markus In our current setup, no WINS server is being provided to workstations obtaining an IP address via DHCP. I am finding that Firefox is actually failing at step 3. It is not prompting for a username and password. Unlike IE which is. Thanks Paul > -----Original Message----- > From: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx] > Sent: Thursday, 9 September 2010 6:01 AM > To: squid-users@xxxxxxxxxxxxxxx > Subject: Re: Re: Squid 3.0 STABLE 19 and SPNEGO with > Windows Firefox 3.6.3 > > > Hi Paul, > > Does your environment provide WINS server details via DHCP to the > desktops > ? I think in theory it should work as follows: > > 1) User connects to proxy which requests negotiate > 2) The browser does not have any tickets and has not joined a domain > to > use NTLM so prompts the user > 3) The user provides user@DOMAIN and password > 4) Desktop tries to find Kerberos kdc locally using NetBIOS or with > WINS > 5) Desktop will send AS-REQ to kdc > 6) Desktop will send TGS-REQ to kdc > 7) Browser will send token to squid. > > This would mean that Firefox does have a problem at step 4) and > creates > an NTLM token for DESKTOP\User > > Markus > > "Paul Freeman" <paul.freeman@xxxxxxxxxx> wrote in message > news:19672EECFB9AE340833C84F3E90B595604014268@xxxxxxxxxxxxxxxxxxxxxx > Markus > I will try and answer your questions in-line below. Please let me know > if > there is any other information or testing you would like me to do. > > I appreciate your assistance. > > Regards > > Paul > > > -----Original Message----- > > From: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx] > > Sent: Wednesday, 8 September 2010 4:54 AM > > To: squid-users@xxxxxxxxxxxxxxx > > Subject: Re: Squid 3.0 STABLE 19 and SPNEGO with > Windows > > Firefox 3.6.3 > > > > Hi Paul, > > > > >"Paul Freeman" <paul.freeman@xxxxxxxxxx> wrote in message > > >news:19672EECFB9AE340833C84F3E90B595604014244@xxxxxxxxxxxxxxxxxxxxxx > > >Hi > > >I am running Squid 3.0STABLE19 on Ubuntu 10.04LTS as a "normal" > > >(non-transparent) proxy server for a number of Windows workstations > in > > an > > >Active Directory environment using W2K8R2 domain controller servers > > running > > >in W2K3 functional mode. > > > > > >I have implemented suthenitcation in Squid using the squid_kerb_auth > > module > > >from Markus Moeller. Authentication is working fine for users > logging > > in > > >using domain credentials on domain registered workstations using > both > > IE7 > > >and > > >8 on Windows XP and Firefox 3.6.3. > > > > > >However, I would like to allow the occasional non-domain user to > have > > >internet access via Squid and so it would be helpful for a login > > dialog box > > >to be presented. When IE 7 and 8 are used, this occurs and > > authentication > > >is > > >successful. However, with Firefox it does not and an error is > > returned by > > >Squid - Access Denied. > > > > > >Looking at some packet dumps between the Windows workstation and > Squid > > >shows > > >that Firefox tries a few times to auth then gives up. Enabling > > logging in > > >Firefox reveals Firefox responds similarly to IE with a GET request > > with a > > >Proxy-Authorization: Negotiate ..... header. In the Squid cache log > > it > > >indicates: > > > > > >squid_kerb_auth: Got 'YR T1RMT...AAAADw==' from squid (length 59). > > >squid_kerb_auth: received type 1 NTLM token > > > > > >However, unlike IE, it then gives up whereas IE then initiates a > KRB5 > > >AS-REQ > > >to a domain controller then gets a ticket and then contacts Squid > > again at > > >which point it authenticates. > > > > > > > I would like to know some more details here. Do you also see a KRB5 > > AS-REQ > > at any time before ? Can you use kerbtray from MS and list Kerberos > > tickets > > for the non domain user ? > > > > I have watched the traffic from prior to launching Firefox to the end > of the > Firefox session. I have not seen any Kerberos related traffic from the > Windows client. > > I have the MS Kerberos tools installed and kerbtray does not show any > tickets > - Client Principal field says "No network credentials". > > Strangely (maybe not???), there are also no tickets shown even while > successfully using IE as a non-domain user. > > > > > >In the Firefox log, just before the GET request, it shows: > > > > > >service = fqdn.of.squid.proxy > > >using negotiate-sspi > > >using SPN of [HTTP/fqdn.of.squid.proxy]] > > >AcquireCredentailsHandle() succeeded > > >nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() > [challenge=Negotiate] > > >entering nsAuthSSPI::GetNextToken() > > >InitializeSecurityContext: continue > > >Sending a token of length 40 > > > > > >Then after sending the GET request and receiving the Squid 407 > > response it > > >shows: > > >nsHttpNegotiateAuth:: GenerateCredentials_1_9_2() > [challenge=Negotiate] > > >entering nsAuthSSPI::GetNextToken() > > >Cannot restart authentication sequence! > > > > > > > Does Firefox work after you used IE ? e.g. does IE cache credentials > > which > > can be used by Firefox ? > > > > Firefox does not work after using IE or even while IE is still running > as a > non-domain user. > > > Do you see any Kerberos traffic ? Do you see DNS SRV requests to > > determine > > the kdc ? > > > > I have not seen any Kerberos related traffic or DNS SRV requests on the > client when Firefox is running. > > > > > >Does Firefox not like the Squid HTTP1.0 Proxy-Connection: close > > response in > > >response to its HTTP1.1 Proxy-Connection: keep-alive GET request? > > > > > >I am puzzled as to whether Squid, Firefox or IE is behaving as one > > would > > >expect given the scenario? > > > > > >Does anyone have any ideas? > > > > > >If Squid and Firefox are behaving correctly but IE is doing a > > workaround > > >then > > >that is OK and I will need to live with the situation. > > > > > >I am happy to perform additional debug work to investigate the > problem > > >further. > > > > > >I have tried various settings in the Firefox about:config - > > >network.negotiate-auth.trusted-uris configuration item, and other > > similar > > >related settings mentioned in other posts but without success. > > > > > >Reading some Mozilla Dev postings over the last 12 months or so > > indicate > > >there have been some issues with NTLM and Kerberos in various > versions > > of > > >Firefox but I think these have been addressed. > > > > > >Thanks in advance > > > > > >Paul Freeman > > > > > > > > >__________ Information from ESET Smart Security, version of virus > > signature > > >database 5429 (20100906) __________ > > > > > >The message was checked by ESET Smart Security. > > > > > >http://www.eset.com > > > > > > > Markus > > > > > > > > > > __________ Information from ESET Smart Security, version of virus > > signature database 5429 (20100906) __________ > > > > The message was checked by ESET Smart Security. > > > > http://www.eset.com > > > > > __________ Information from ESET Smart Security, version of virus > signature > database 5429 (20100906) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com > > > > > > __________ Information from ESET Smart Security, version of virus > signature database 5435 (20100908) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com > __________ Information from ESET Smart Security, version of virus signature database 5435 (20100908) __________ The message was checked by ESET Smart Security. http://www.eset.com
