"Aleksandar Ciric" <aciric79@xxxxxxxxx> wrote in message
news:353393.71638.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello,
I have a Gentoo server with 3.1.6 Squid. I have setup Kerberos
authentication with our AD server that works correctly when accessed from
domain member computer.
However when I access it from (fully updated) Windows XP computer that is
not a member of a domain I get a prompt in IE8, I fill the prompt but have
to acknowledge it 3 time in a row until I am granted access. Wireshark
shows that IE8 successfully goes through AS-REQ/AS-REP TGS-REQ/TGS-REP on
each prompt acknowledgement. It sends same ticket (according to version
number) along with GET request but is let through only on 3rd attempt.
Chrome behaves a bit differently, it goes through AS-REQ/AS-REP
TGS-REQ/TGS-REP only once, but only upon hitting refresh 3rd time (on 3rd
GET) it gets through (as with IE, it does send ticket on first 2 GETs
too).
It looks like Chrome caches the credentials.
What does the log say ? Does IE/Chrome request the same page three times ?
Can you check what squid is returning to the client (e.g. is there an
Proxy-Authorization with a token returned )?
Firefox does't even get to try it, it as other browsers tries NTLM on
startup but gives up upon failure and doesn't switch to Kerberos, however
it works fine when user is logged in with domain credentials.
I have similar working test setup on Fedora 10, with 3.0.22 Squid and
there is no such behavior noticed, so it cant be the clients fault. (same
config setting both for Kerberos and Squid, same AD). It actually runs on
my desktop machine while Gentoo one is VM on VmWare Infrastructure. Both
machines are similar specs, VM one being even faster (3ghz XEON with 2GB
RAM).
I am puzzled as to what might be reason for this behavior, any help would
be more than welcome?
What does squid return to the client in this case ? Also a
Proxy-Authorization with a token ?
Cira
