"barbarossa" <bDmanLIB@xxxxxxxxxxx> wrote in message
news:1285759672914-2718780.post@xxxxxxxxxxxxxxxx
I don't know why, but authenticating in the IE login dialog using kerberos
credentials works now (user@xxxxxxxxx, same as for FF).
For most of the page requests, squid writes to cache.log logs as the
following:
2010/09/29 11:19:50| squid_kerb_auth: Got 'YR
YIICOQYGKwYBBQUCoIICLTCCAimgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCAf8EggH7YIIB9wYJKoZIhvcSAQICAQBuggHmMIIB4qADAgEFoQMCAQ6iBwMFACAAAACjggEMYYIBCDCCAQSgAwIBBaELGwlWVUIuQUMuQkWiJjAkoAMCAQKhHTAbGwRIVFRQGxNiaWJscGMwODMudnViLmFjLmJlo4HHMIHEoAMCARChAwIBB6KBtwSBtPoenXEkU4igJAThT303vjwwg341PcMmhtLaUG2gZmawDKB/X3sNckogjaW8Wi369+gAImmO6wDwI+Yk8ZTvkBrLWhtBZqUuYteErlaOganW5aNwOYFAs14RMtlafCNtiZfwAQwPM56aNMDEykBXu9k6y00LDkExdAHlWX1DySmoI8r0W281EKmQ/QyUiZcahoHepQiXrW7JdnFicdcYqmLq2rkMlGzJnUyhVO+vA5PE7pmlq6SBvDCBuaADAgEXooGxBIGuT/78/guqfh1tzh/JOmeIiEzL3m3ZLNkMIWyqvoq23+ZEKBVZTWK1XPbg3cczH1L2S0tm2tLRjIyZQWmW8SkyMLFNgB7krSQBmqLQ4sTxsVCKtcRFwPsqZD5YL6Enzh/gTcYP/WgfncPOaD2+/tT7NYzxedaoHjfg5WbS163YujIu7eMHh2xQ08n53JBhhwDfOQdAtnSrlNgUsoQJwPsL+6eDziGQKcEFFw9MM8dJ'
from squid (length: 767).
2010/09/29 11:19:50| squid_kerb_auth: parseNegTokenInit failed with rc=102
2010/09/29 11:19:50| squid_kerb_auth: AF
oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWktM3mOHT3CdVuGDl7VN64DKZ478GfooqXyH+JFSlneeXjdxNpRCxIF1JD0mfn+gLL0ud5P7SOHMbDX3cDj4B14ghldzGdKUyoFBZbGKoNSZMT3sCDEw0Gx2MA==
user@xxxxxxxxx
Is this normal?
Yes this (parseNegTokenInit failed with rc=102) is normal for a Kerberos
library which does not support SPNEGO natively.
As for IE, it probably deletes the ticket it created when exiting, as each
time I exit I must reauthenticate. Why does it not use the MIT ticket? Is
there a solution for this (creating "Windows" Kerberos tickets,
configuring
IE to use MIT tickets, ...).
This is a security feature in Windows. It is not possible for an external
application to write into the ticket cache. For Vista/7 it might be
possible, but I think the netidmgr has not implemented it.
You could setup your systems to authenticate users against the kdc e.g. use
the kdc like an AD server together with a mapping of local users to kdc
users. (There have been glogs about this although I don't reacll the link)
Thanks!
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Simple-Kerberos-Squid-configuration-received-type-1-NTLM-token-tp2553379p2718780.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Markus
