"Aleksandar Ciric" <aciric79@xxxxxxxxx> wrote in message
news:375975.43025.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Gentoo Squid, IE browser
1. GET google
2. 407, Proxy-Authenticate: Negotiate\r\n
3. GET google, Proxy-Authorization: Negotiate <token>, NTLMSSP
4. 407, Proxy-Authenticate: Negotiate\r\n
Interesting. I thought Negotiate will use Kerberos first and then NTLM.
5. Pass Prompt (stays on after ack)
6. KRB5 AS-REQ/AS-REP, TGS-REQ/TGS-REP (with AD server)
7. GET google, Proxy-Authorization: Negotiate <token>, GSS-API (SPNEGO)
What does squid say here in the logfile ? If the token is complete it should
already return 200 OK
If not 8. should return also a token after Negotiate. Can you confirm that
8. does not contain a GSSAPI token ?
8. 407, Proxy-Authenticate: Negotiate\r\n
pause (here I waited about a minute to type all this)
9. Ack the pass prompt again (same user/pass, it stays filled in)
10. KRB5 AS-REQ/AS-REP, TGS-REQ/TGS-REP (with AD server)
11. GET google, Proxy-Authorization: Negotiate <token>, GSS-API (SPNEGO)
12. 200 OK, Proxy-Authentication-Info: Negotiate
token in 7 & 11 is exactly the same, same pvno, as are kerberos ticket
version numbers in 6 and 10.
There is no difference in 2, 4, 8 headerwise.
Apparently that pause removed the need for third time, however you can
blitz through the entire process by acknowledging pass prompt 3x in a row,
which would only add steps 6,7&8 once more.
Interesting is that a rather long pause (tried 30secs, needs about a
minute) made all the difference.
Regards
Markus
