>On Mon, Oct 4, 2010 at 9:44 AM, Nick Cairncross ><Nick.Cairncross@xxxxxxxxxxxxxxx> wrote: >> On 04/10/2010 07:48, "guest01" <guest01@xxxxxxxxx> wrote: >> >>>got NTLMSSP command 3, expected 1 >> >> As you say isn't that because a Kerberos client is trying to send auth >>and >> thus not capable of NTLM? Can you track it down to the requesting >> machine(s) and client? It's like my Mac Safaris can only use NTLM and >>not >> Kerberos, only reverse.. I use both helpers. Kerberos auth ordered first >> and then NTLM second in squid conf. >> >> N >> >yes, at least the error messages suggests that a client wants to send >kerberos specific data, but squid expected ntlm. But I don't know why, >because in general everything is working. But sometimes it is not, >then the user will get a browser pop-up asking for credentials (which >should not happen either with kerberos or ntlm). A few seconds later >it is working again (normally pressing escape a couple of times is >enough and then the user is authenticated again by ntlm). > >I tried to figure out which browser caused that problem, in my case it >was FF 3.6.10, but if I remember correctly, then I had the same >problem with IE too. > >But you are right, if I am using both helpers (ntlm, kerberos) it >should not appear, right? So the only working solution is to use >kerberos too? Any other possible fixes? > Is the example you are talking about from within Firefox or IE7+? I see the same thing for my non-domain joined machines in Firefox. FF tries Kerberos first and then changes to NTLM on pressing escape. Since they can't get a ticket for a non domain machine my users need to use NTLM as a backup - your cache.log might show something like: 2010/10/04 10:09:53| authenticateAuthenticate: Unexpected change of authentication scheme from 'negotiate' to 'NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (client 192.168.1.27) (In Firefox) For me if I press escape I then receive a *slightly* different prompt relating to squid auth. I then enter my ntlm creds (domain\username) and I'm on. Logs show the user account is NTLM auth and not Kerberos. If it WAS a domain joined machine it would be the Kerberos UPN I would see from the start In IE if you disabled 'Integrated Windows Authentication' in the settings then I would be able to use NTLM for my non-domain machines as IE wants to use Kerberos otherwise. As for a 'fix', there isn't one AFAIK. However, some things to think about: is there a delay somewhere relating relating to NTLM auth? Sometimes not enough helpers, latency, locked accounts, bad lookups/DNS. As yet there is no wrapper for both Kerberos and NTLM, so two helpers it is. The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU