Hi. I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have enabled Kerberos/NTLM authentication using the squid_kerb_auth helper. This setup is working well and successfully authenticates Windows domain users when they are logged in using their domain credentials on Windows XP workstations using Internet Explorer (v6,7 and 8) and Firefox. Squid is configured with two helpers, the first, squid_kerb_auth and the second, the Samba ntlm helper. However, today I came across a problem when using Internet Explorer 8 on a server running Windows Server 2008 R2. The IE8 enhanced security mode is disabled and the logged in user is a standard domain user. The Windows server is joined to the domain and is not a domain controller. The Windows server is up to date with Microsoft patches and updates. Authentication is failing for some reason. Instead of authenticating silently, the user is prompted for a username and password 6 times before receiving the Cache Access Denied message. If I disable the squid_kerb_auth helper in squid.conf and restart squid, leaving only the Samba NTLM helper, authentication works successfully. In cache.log I find: squid_kerb_auth: DEBUG: Got 'YR YII... squid_kerb_auth: DEBUG: Decode 'YII... squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. squid_kerb_auth: INFO: User not authenticated authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_accept_sec_contect() failed: Unspecified GSS failure. Minor code may provide more information. ' Has anyone else found this with IE8 on Windows Server 2008 R2? Is it due to the 64-bit version of IE8 or some unusual interaction between the IE8 version shipped with Windows Server 2008 R2 and the squid_kerb_auth module? I have a Wireshark capture of the traffic between the browser session on Windows Server 2008 R2 and the proxy server during authentication and would like to assist with investigating the problem further if someone can provide some advice as to where to look. Regards Paul
